Forum Discussion
AMA Agent - trying to send contents of /var/log/syslog to sentinel
Hello,
I have an Ubuntu 20.04 log forwarder that is receiving syslog from a network device.
I am using the AMA (even though it is in public preview) as Microsoft recommend, due to the OMS being deprecated.
Example contents of /var/log/syslog that I would like to send to Sentinel
Jan 16 03:07:14 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM clear_alarm succeeded params:param_1=0 ,alarm_type=65537 ,param_2=0 ,param_3=to_ManchesterOpera2-ECV01_EMEA_Internet_2-EMEA_Internet_2 ,comment=Tunnel state is Down
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2510
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2509
Jan 16 03:08:47 Device-ECV01 mgmtd[10834]: Orchestrator@- action SYSTEM key/status succeeded
I have set up a DCR to ingest the logs as so (troubleshooting - so enabling everything)
However these events are not being sent to the workspace.
When I create a dummy event on the linux log forwarder using the below command, it does appear in Sentinel, which makes me think the AMA connection to Sentinel is OK.
logger -p local4.warn -P 514 -n 127.0.0.1 --rfc3164 -t CEF "0|DeviceVendorName-Test16012023|DeviceProduct-Test|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive time"
Can anyone assist with what else I need to do to get this working?
Thanks
- SocInABoxIron ContributorThe procedure is a bit different for VMs in Azure vs on-prem.
I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.
For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)
For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.
A very simple test:
On your linux server, type "logger testing123"
In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.
Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.