Forum Discussion

kausiktsi's avatar
kausiktsi
Copper Contributor
Feb 18, 2021

Azure Sentinel for On premises without MMA agent

Hi

I have a use case where customer don't want to install any MMA agent on their machines/NEs to collect the data due to some security reason so how do we address such situation and what is the work around?

my understanding i should go for syslog forwarded/CEF to collect the on premises logs from different sources and send it to Azure sentinel over 443 or via private connect. could any one can suggest if this will work or any workable solution. Thanks a lot

4 Replies

    • kausiktsi's avatar
      kausiktsi
      Copper Contributor
      Thanks Clive. So if i understood correctly then it is not necessary to installed the Monitoring agent on any machines or nodes to collect the logs required for sentinel. I am referring this below URL: https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources) for on premise design where all the customer side logs will be placed in syslog forwarder Linux based machine ( Placed at customer premise ) so that sentinel can collect it. So this will avoid placing MMA on any customer machines ( Windows /Linux/NEs ). what is your views or any showstopper ?
      • Ofer_Shezaf's avatar
        Ofer_Shezaf
        Icon for Microsoft rankMicrosoft

        kausiktsi : as CliveWatson stated, remove collection is currently possible only for Linux and other systems supporting Syslog (which would exclude Windows). See here for details. Remote collection for Windows is planned in the near future.

Resources