Forum Discussion
MicrosoftFailed to configure/use CEF syslog facility
@ seem to have a similar problem trying to configure this:
Whenever you're configuring the rsyslog service we're pushing a security_events.conf file as part of the integration process ( creating a listener for port 25226 )
Example in the steps:
Download and install the security_events config file that configures the Syslog agent to listen on port 25226.
sudo wget -O /etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf "https://aka.ms/syslog-config-file-linux"
Where {0} should be replaced with your workspace GUID.
Security_events.conf
type syslog
port 25226
bind 127.0.0.1
protocol_type udp
tag oms.security
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
message_length_limit 4096
</source>
type filter_syslog_security
</filter>
We're having a similar issue. I've verified that I have the security events.conf file on my server ,and that the Fortinet logs I'm pulling are in CEF format.
The logs are screaming in on 514 - but never go to Sentinel on 25266. Anything else I can check? Would setting the syslog port to 25266 on the firewall help at all?
CEF:0|Fortinet|Fortigate|v6.0.2
-rw-r--r-- 1 root root 359 Feb 12 01:58 /etc/opt/microsoft/omsagent/6e7121df-eea3-4365-b775-410954a08c7d/conf/omsagent.d/security_events.confIf you're seeing everything on 514 but not 25226 it seems like the forwarding isn't occurring correctly.
Confirm the configuration file
Make sure you've restarted the service, after adding the configuration change it requires a reboot to start up the new security file configuration.
I would confirm the following:
For rsyslog, ensure the following is in the configuration file for CEF
:msg, contains, "CEF" @127.0.0.1:25226
if the configuration file seems to be configured correctly, I would personally advise collecting the following information:
- Files:
- /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.d/security_events.conf
- /var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log
- /etc/rsyslog.conf
- The content of folder: /etc/rsyslog.d/
- Output of the following commands:
- CEF logs is the correct format in the var/messages file ("tac /var/log/syslog | grep CEF -m 10" or "tac /var/log/messages | grep CEF -m 10")
- TCP dump on ports 514 and 25226 ("tcpdump -i any dst port 514 -vv" or "tcpdump -i any dst port 25226 -vv")
Then create a support ticket if my comment above didn't help.
thanks for replying!
it actually turned out to be a setting in the rsyslog.conf file. I was setting up logging from 3 diff points, and 2 out of the 3 had the right settings - but the host I wrote about didn't have this uncommented:
the moral of the story is to never assume that all the files are the same :)
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
- Files:
Thanks Chris Boehm
We eventually got this working, and we think (thought not sure) that the problem was more that the logs being sent from Fortinet applicance were not yet in the CEF format - which we went and fixed.
Admittedly I did go a try a few other things so not 100% what fixed this for us but we're all good now.
