Forum Discussion
Deploying a combined Syslog/CEF forwarder
Hi, I'm planning an on-prem syslog/CEF forwarder and the documentation is a little unclear to me. I need the forwarder to forward CEF messages from sources that support it, and raw syslog messages from sources that don't support CEF. The documentation https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog suggests that the forwarder will only send CEF messages up to Sentinel. In my testing I also found that after configuring the Syslog data settings on the Log Analytics workspace I was able to forward raw syslog messages through the same server.
Am I going about this the correct way?
Step 3 on https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-verify?tabs=rsyslog mentions that /etc/rsyslog.d/security-config-omsagent.conf contains 'if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then @@127.0.0.1:25226' which suggested that plain syslog messages would not be forwarded.
1 Reply
- Ah I think the penny has dropped :-). So it looks as though rsyslog includes all config files contained within /etc/rsyslog.d/ and processes messages using these config files in order. So I'm adding an additional config file as suggested by Ofer Shezaf to be processed before 95-omsagent.conf, to include the statement mentioned earlier ('if $rawmsg contains "CEF:".......). Then messages identified as CEF messages will be processed and forwarded, then processing stops to prevent the message from being handled by the general syslog 95-omsagent.conf file. Raw syslog messages will not match the CEF rule and will therefore be handled as syslog.
The documentation could be much clearer around this I think.
