Blog Post

Microsoft Sentinel Blog
8 MIN READ

Create, Edit, and Monitor Data Collection Rules with the Data Collection Rule Toolkit

Matt_Lowe's avatar
Matt_Lowe
Icon for Microsoft rankMicrosoft
May 02, 2023
*Thank you to Jing Nghik for assisting with the creation of this toolkit and to the Customer Connection Program for testing this solution.*   *This is going to be a long blog. I recommend reading...
Updated May 02, 2023
Version 3.0
best practices
data collection
Workbooks
Matt_Lowe's avatar
Icon for Microsoft rankMicrosoft
Joined March 02, 2020
View Profile
Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

SocInABox's avatar
SocInABox
Iron Contributor
May 05, 2023

For just linux syslog (not windows related), consider these DCR configurations:

 

The procedure is a bit different for VMs in Azure vs on-prem.

 

I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.

 

For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)

For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.

 

A very simple test:

On your linux server, type "logger testing123"

In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.


Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.