Forum Discussion
MDE Onboard syslog/cef collectors. Possible?
Hi, Can you onboard syslog/cef collectors running either the legacy agent or the new AMA to MDE without affecting the log collector capability? Regards, Tim
here are some example syslog (and cef) configurations:
The procedure is a bit different for VMs in Azure vs on-prem.
I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.
For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)
For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.
A very simple test:
On your linux server, type "logger testing123"
In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.
Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.
The procedure is a bit different for VMs in Azure vs on-prem.
I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.
For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)
For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.
A very simple test:
On your linux server, type "logger testing123"
In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.
Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.