Forum Discussion
AMA agent in linux not sending syslog events
We have installed a Linux machine with AMA agent. We have configured DCR at CEF connector page to ingest CEF logs.
While i notice CEF logs are being ingested to Sentinel (CommonSecurityEvent) table, i do not see any logs in Syslog table. I have verified in TCPDUMP that there are syslog-formatted messages being sent to the Linux logger.
What could be the cause?
- It sounds like you might need a second DCR to collect the Syslog events. One DCR will collect CEF, and the second Syslog.
Hi Shamed, I've been down this rabbit hole!
The procedure is a bit different for VMs in Azure vs on-prem.I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.
For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)
For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.A very simple test:
On your linux server, type "logger testing123"
In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.
Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.- It sounds like you might need a second DCR to collect the Syslog events. One DCR will collect CEF, and the second Syslog.
- This is right. I just looked at the DCR for CEF, it was sending the logs to CommonSecurityLog. Hence why the Syslog table was empty. Had to create another DCR
- This is correct. However, you will see that if you do this and enable all facilities on the syslog DCR that ALL events will end up in both tables and you will be paying twice for ingest.
- Yeap the dedup can be achieved by modifying the DCR and adding a transformKQL to drop all CEF events . However you still end up paying for some of the dropped the dropped logs as per article: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations
KQL that drops CEF logs:
source |
where ProcessName !contains “\“CEF\””
From: https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog
