Forum Discussion
Facing issue with CEF collector via AMA
I have oracle Linux VM 7.9 i have onboarded the this VM using azure arc and created DCR rule to install the AMA agent. I'm facing issue in the CEF connectors via AMA agent, the logs are not coming in the common security logs table.
When I run the troubleshoot command in the device I'm facing the errors.
1. verify Syslog daemon forwarding configuration -- > Failure
rsyslog configuration was found invalid in this file /etc/rsyslog.d/10-azuremonitoragent-omfwd.conf .
The forwarding of the syslog daemon to the agent might not work. Please install the agent in order
to get the updated Syslog daemon forwarding conf iguration file, and try again.
2. Could not locate CEF message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic.
3. Listen to the incoming events failure.
HELP OUT TO RESOLVE THIS ISSUE.
7 Replies
- Hi there, couple things to check first, the logs your trying to get to sentinel, do they reach the collector? you can check by doing a tcpdump most likely on port 514 unless your using another port. if you dont recieve any logs over tcp then its most likely not the sentinel conf that is the problem but whatever your sending to the collector, you can also check the sentinel conf is working by using the logger command here - logger --server $COLLECTORIP --port 514 --tcp "CEF:0|DeviceVendorName-Test2|DeviceProduct-Test|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive_timetest" wait about 10/15min then query the cef table in sentinel you should see your test log 🙂
- Guys I'm just asking to resolve this error , the mock test results are reflecting in the sentinel but the real logs are not coming
1. verify Syslog daemon forwarding configuration -- > Failure
rsyslog configuration was found invalid in this file /etc/rsyslog.d/10-azuremonitoragent-omfwd.conf .
The forwarding of the syslog daemon to the agent might not work. Please install the agent in order
to get the updated Syslog daemon forwarding conf iguration file, and try again.
2. Could not locate CEF message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic.
3. Listen to the incoming events failure.
HELP OUT TO RESOLVE THIS ISSUE.- I'm kinda in the same boat with CEF logging to Sentinel Workspace. Did you resolve this?
