Forum Discussion
CEF messages not parsed from remote host
Hi everyone, I have a CentOS machine and a Syslog collector. Whenever I run the commands below on the Syslog collector similar to this post, CEF messages are parsed and showing up under CommonSec...
security_events.conf
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
security-config-omsagent.conf
:rawmsg, regex, "CEF\|ASA" ~ *.* @@127.0.0.1:25226
No error spotted in:
/var/opt/microsoft/omsagent/<workspace-id>/log/omsagent.log
root@my-syslogserv:~# netstat -anp | grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 5836/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 5836/rsyslogd
udp 0 0 0.0.0.0:48723 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:42005 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:38190 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:34139 0.0.0.0:* 5836/rsyslogd
udp6 0 0 :::514 :::* 5836/rsyslogd
unix 2 [ ] DGRAM 22952 1/init /run/systemd/journal/syslog
unix 2 [ ] DGRAM 57903 5836/rsyslogd
root@my-syslogserv:~# netstat -anp | grep ruby
tcp 0 0 0.0.0.0:25325 0.0.0.0:* LISTEN 5940/ruby
udp 0 0 127.0.0.1:25225 0.0.0.0:* 5940/ruby
udp 0 0 127.0.0.1:25226 0.0.0.0:* 5940/ruby
Only error while running the test script
sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py <workspace-id>
Error: Could not locate 'omsagent' trying to validate by checking the process