Team,
I have one question reg. SYSLOG -> Azure Sentinel setup.
One of our customers already has SYSLOG setup in on-premise that gathers events/messages from various machines (Linux, Windows), Networking devices, and Firewalls.
We are going to Azure Sentinel as SEIM solution, and used OMS Linux agent installed on that one machine that already consolidated logs from various machines and loaded them to Azure Sentinel.
Question:
1) Is there any way that Azure Sentinel can "Auto-discover" hosts/device that actually sent the message and classify them as messages or events from networking device / Windows servers / Linux servers etc.,?
If not, is there any way in SYSLOG templates we need to include that tag or clue?
2) If the above is not possible, Should we recommend installing Microsoft monitoring agents in every machine/device On-premise to send events/logs to Azure sentinel individually rather than RSYSLOG?
Could you please share your thoughts?