Forum Discussion
CEF messages not parsed from remote host
Hi everyone,
I have a CentOS machine and a Syslog collector. Whenever I run the commands below on the Syslog collector similar to this post, CEF messages are parsed and showing up under CommonSecurityLog
logger -p local4.warn -t CEF "CEF:0|Microsoft|ATA|1.9.0.0|EncryptionDowngradeSuspiciousActivity|Encryption downgrade activity|5|start=2018-12-12T18:10:35.0334169Z app=Kerberos msg=The encryption method of the TGT field of TGS_REQ message from W2012R2-000000-Server has been downgraded based on previously learned behavior. This may be a result of a Golden Ticket in-use on W2012R2-000000-Server. externalId=2009 cs1Label=url cs1=https://192.168.0.220/suspiciousActivity/5c114f938ca1ec1250cafcfa"
logger -p local4.warn -t CEF "CEF:0|Microsoft|ATA|1.9.0.0|EncryptionDowngradeSuspiciousActivity|Encryption downgrade activity|5|start=2018-12-12T17:00:31.2975188Z app=Kerberos msg=The encryption method of the Encrypted_Timestamp field of AS_REQ message from W2012R2-000000-Server has been downgraded based on previously learned behavior. This may be a result of a credential theft using Overpass-the-Hash from W2012R2-000000-Server. externalId=2010 cs1Label=url cs1=https://192.168.0.220/suspiciousActivity/5c113eaf8ca1ec1250ca0883"
But if i'm doing the same commands on my CentOS server and redirecting the output to the Syslog server via port 514, the messages are not under CommonSecurityLog anymore but Syslog although the format remains the same. Everything is obviously grouped into the SyslogMessage field.
Any idea why this doesn't work with Sentinel? I have other SIEM background and my method works wonder. I tried everything and still couldn't pinpoint to why logs would not be forwarded at all to the Analytics agent.
Thanks,
Mikado1080 Were you able to find a resolution to this issue? I'm experiencing the same.
- install the agent separately on CEF server and it will solve your problem
security_events.conf
<source> type syslog port 25226 bind 127.0.0.1 protocol_type tcp tag oms.security format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/ <parse> message_format auto </parse> </source>security-config-omsagent.conf
:rawmsg, regex, "CEF\|ASA" ~ *.* @@127.0.0.1:25226No error spotted in:
/var/opt/microsoft/omsagent/<workspace-id>/log/omsagent.logroot@my-syslogserv:~# netstat -anp | grep syslog tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 5836/rsyslogd tcp6 0 0 :::514 :::* LISTEN 5836/rsyslogd udp 0 0 0.0.0.0:48723 0.0.0.0:* 5836/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 5836/rsyslogd udp 0 0 0.0.0.0:42005 0.0.0.0:* 5836/rsyslogd udp 0 0 0.0.0.0:38190 0.0.0.0:* 5836/rsyslogd udp 0 0 0.0.0.0:34139 0.0.0.0:* 5836/rsyslogd udp6 0 0 :::514 :::* 5836/rsyslogd unix 2 [ ] DGRAM 22952 1/init /run/systemd/journal/syslog unix 2 [ ] DGRAM 57903 5836/rsyslogdroot@my-syslogserv:~# netstat -anp | grep ruby tcp 0 0 0.0.0.0:25325 0.0.0.0:* LISTEN 5940/ruby udp 0 0 127.0.0.1:25225 0.0.0.0:* 5940/ruby udp 0 0 127.0.0.1:25226 0.0.0.0:* 5940/rubyOnly error while running the test script
sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py <workspace-id>Error: Could not locate 'omsagent' trying to validate by checking the process
