Forum Discussion

Etienne Noiret's avatar
Etienne Noiret
Icon for Microsoft rankMicrosoft
Mar 19, 2019

Failed to configure/use CEF syslog facility

Hello,   I'm stuck with the configuration of CEF connector as described at https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format. I have chosen to go for an automatic deploy...
Chris Boehm's avatar
Chris Boehm
Former Employee
Apr 25, 2019

Rohan Cragg 

Etienne Noiret 

 

Whenever you're configuring the rsyslog service we're pushing a security_events.conf file as part of the integration process ( creating a listener for port 25226 )

 

Example in the steps:

 

Download and install the security_events config file that configures the Syslog agent to listen on port 25226.

sudo wget -O /etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf "https://aka.ms/syslog-config-file-linux"

Where {0} should be replaced with your workspace GUID.

 

 

Security_events.conf

 

<source>
  type syslog
  port 25226
  bind 127.0.0.1
  protocol_type udp
  tag oms.security
  format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
  message_length_limit 4096
</source>
<filter oms.security.**>
  type filter_syslog_security
</filter>
 
 
You'll note the config file has UDP, please move it to TCP if you're using TCP and restart the service.
This should fix the communication issues
 
I'd advise following this doc for testing your communication: https://docs.microsoft.com/en-gb/azure/sentinel/connect-fortinet#step-3-validate-connectivity 
 
Rohan Cragg's avatar
Rohan Cragg
MCT
Apr 26, 2019

Thanks Chris Boehm 

 

We eventually got this working, and we think (thought not sure) that the problem was more that the logs being sent from Fortinet applicance were not yet in the CEF format - which we went and fixed.

 

Admittedly I did go a try a few other things so not 100% what fixed this for us but we're all good now.