Forum Discussion
- SABBIR_RUBAYATIron ContributorIf you collect CEF log then why you bother syslog ?? The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing.
The number of systems supporting Syslog or CEF is in the hundreds, please make sure to check out the Azure Sentinel grand list for a comprehensive list of sources supporting CEF.- tipper1510Brass ContributorSorry I meant can you onboard log collectors to MDE without any adverse effect to the collector function?
- SABBIR_RUBAYATIron ContributorIf you want to onboard log collectors into MDE make sure you use supported OS version of MDE
- faruk2bd1971Brass ContributorAgreed
- SocInABoxIron Contributorhere are some example syslog (and cef) configurations:
The procedure is a bit different for VMs in Azure vs on-prem.
I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.
For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)
For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.
A very simple test:
On your linux server, type "logger testing123"
In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.
Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.