Forum Discussion
Solved
Azure Sentinel Linux Syslog Agent Configuration
Hello All,
I looking for help with trying to ingest Cisco NGFWv syslog messages in Azure Sentinel. I've configured my Linux Syslog agent to collect my Common Event Format (CEF) Syslog messages ...
- HI Will,
Please check if you have the security_events.conf file available under /etc/opt/microsoft/omsagent/youur workspaceid/conf/omsagent.d
If not create one and add the below entries in the file.
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
<filter oms.security.**>
type filter_syslog_security
</filter>
Also under syslog.conf file available in the same path please change the protocol from UDP to TCP. After changing that to TCP restart using the following command.
sudo service rsyslog restart
After performing the above steps you can go to the /etc/rsyslog.d. Under this you can find 95-omsagent.conf file and change the @127.0.0.1 with @@127.0.0.1 to send the log in tcp.
THis should resolve your issue as it worked for me.
HI Will,
Please check if you have the security_events.conf file available under /etc/opt/microsoft/omsagent/youur workspaceid/conf/omsagent.d
If not create one and add the below entries in the file.
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
<filter oms.security.**>
type filter_syslog_security
</filter>
Also under syslog.conf file available in the same path please change the protocol from UDP to TCP. After changing that to TCP restart using the following command.
sudo service rsyslog restart
After performing the above steps you can go to the /etc/rsyslog.d. Under this you can find 95-omsagent.conf file and change the @127.0.0.1 with @@127.0.0.1 to send the log in tcp.
THis should resolve your issue as it worked for me.
Please check if you have the security_events.conf file available under /etc/opt/microsoft/omsagent/youur workspaceid/conf/omsagent.d
If not create one and add the below entries in the file.
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
<filter oms.security.**>
type filter_syslog_security
</filter>
Also under syslog.conf file available in the same path please change the protocol from UDP to TCP. After changing that to TCP restart using the following command.
sudo service rsyslog restart
After performing the above steps you can go to the /etc/rsyslog.d. Under this you can find 95-omsagent.conf file and change the @127.0.0.1 with @@127.0.0.1 to send the log in tcp.
THis should resolve your issue as it worked for me.
pavankemi Hi, I'm facing the same issue and went through all the changes but I get the error . any help would be appreciated .
sudo tcpdump -A -ni any port 514 -vv
Could not locate "CEF" message in tcpdump
Fetching CEF messages from daemon files.
Taking 2 snapshots in 5 seconds diff and compering the amount of CEF messages.
If found increasing CEF messages daemon is receiving CEF messages.
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages
Error: no CEF messages received by the daemon.
Please validate that you do send CEF messages to agent.
Checking daemon incoming connection for tcp and udp
This will take 60 seconds.
sudo tcpdump -A -ni any port 25226 -vv
Could not locate "CEF" message in tcpdump- Good Day did you manage to resolve the above?
