Forum Discussion

tipper1510's avatar
tipper1510
Brass Contributor
Apr 27, 2023

MDE Onboard syslog/cef collectors. Possible?

Hi,

 

Can you onboard syslog/cef collectors running either the legacy agent or the new AMA to MDE without affecting the log collector capability?

 

Regards,

 

Tim

  • If you collect CEF log then why you bother syslog ?? The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing.
    The number of systems supporting Syslog or CEF is in the hundreds, please make sure to check out the Azure Sentinel grand list for a comprehensive list of sources supporting CEF.
    • tipper1510's avatar
      tipper1510
      Brass Contributor
      Sorry I meant can you onboard log collectors to MDE without any adverse effect to the collector function?
      • SABBIR_RUBAYAT's avatar
        SABBIR_RUBAYAT
        Iron Contributor
        If you want to onboard log collectors into MDE make sure you use supported OS version of MDE
  • SocInABox's avatar
    SocInABox
    Iron Contributor
    here are some example syslog (and cef) configurations:

    The procedure is a bit different for VMs in Azure vs on-prem.



    I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.



    For Azure VMs:
    - Create a DCF and configure your syslog facilities.
    - In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)

    For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.



    A very simple test:

    On your linux server, type "logger testing123"

    In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.


    Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.

Resources