Forum Discussion

Valon_Kolica's avatar
Valon_Kolica
Icon for Microsoft rankMicrosoft
Aug 12, 2019

Azure Sentinel: Common Event Format (CEF) Connectors Update | PREVIEW

Azure Sentinel allows you to connect any on-premises appliance that supports Common Event Format over Syslog to Azure Sentinel. Sentinel team has been working on improving this capability and are excited to release an improved connector that simplifies the onboarding configuration steps and reduced common configuration issues. 

 

This preview will expose new connectors and effect all the data connectors that are implemented using CEF:

  • Zscaler – new
  • Common Event Format (CEF)
  • Check Point
  • Cisco ASA
  • F5
  • Fortinet
  • Palo Alto Networks

Interested in participating?

If you're committed to participating, please leverage this form to sign-up.

 

  • arshad80's avatar
    arshad80
    Copper Contributor

    Valon_Kolica 

    Configured the connector but cef_troubleshoot.py.4 for Cisco ASA 

    this is what i get

    Taking 2 snapshots in 5 seconds diff and compering the amount of CEF messages.
    If found increasing CEF messages daemon is receiving CEF messages.
    Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
    sudo tac /var/log/syslog
    tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
    Located 0
    CEF\ASA messages
    Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
    sudo tac /var/log/syslog
    tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
    Located 0
    CEF\ASA messages
    Error: no CEF messages received by the daemon.
    Please validate that you do send CEF messages to agent.
    Checking daemon incoming connection for tcp and udp

  • Will_Network's avatar
    Will_Network
    Copper Contributor

    Valon_Kolica 

    I trying to send my syslog data to Azure Sentinel but, I'm seeing the following message in my Linux Syslog agent:

    ****

    Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
    sudo tac /var/log/syslog
    Located 0
    CEF\ASA messages
    Error: no CEF messages received by the daemon.
    Please validate that you do send CEF messages to agent.

    ****

    I'm receiving syslog messages in the Linux (Ubuntu) agent from my Cisco firewall but, the CEF collector isn't forwarding them to Azure Sentinel. How do I fix this?

     

    Thanks,

    Will_Network

     

     

     

Resources