Forum Discussion

Etienne Noiret's avatar
Etienne Noiret
Icon for Microsoft rankMicrosoft
Mar 19, 2019

Failed to configure/use CEF syslog facility

Hello,   I'm stuck with the configuration of CEF connector as described at https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format. I have chosen to go for an automatic deploy...
LauraPen's avatar
LauraPen
Copper Contributor
Jun 17, 2019

Chris Boehm 

 

We're having a similar issue.  I've verified that I have the security events.conf file on my server ,and that the Fortinet logs I'm pulling are in CEF format. 

The logs are screaming in on 514 - but never go to Sentinel on 25266.  Anything else I can check?  Would setting the syslog port to 25266 on the firewall help at all?

 

CEF:0|Fortinet|Fortigate|v6.0.2


-rw-r--r-- 1 root root 359 Feb 12 01:58 /etc/opt/microsoft/omsagent/6e7121df-eea3-4365-b775-410954a08c7d/conf/omsagent.d/security_events.conf

Chris Boehm's avatar
Chris Boehm
Former Employee
Jun 20, 2019

LauraPen 

 

If you're seeing everything on 514 but not 25226 it seems like the forwarding isn't occurring correctly.

Confirm the configuration file

Make sure you've restarted the service, after adding the configuration change it requires a reboot to start up the new security file configuration.

 

I would confirm the following:

 

For rsyslog, ensure the following is in the configuration file for CEF

:msg, contains, "CEF"       @127.0.0.1:25226

 

if the configuration file seems to be configured correctly, I would personally advise collecting the following information:

 

  • Files:
    • /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.d/security_events.conf
    • /var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log
    • /etc/rsyslog.conf
    • The content of folder: /etc/rsyslog.d/

 

  • Output of the following commands:
    1. CEF logs is the correct format in the var/messages file ("tac /var/log/syslog | grep CEF -m 10" or "tac /var/log/messages | grep CEF -m 10")
    2. TCP dump on ports 514 and 25226  ("tcpdump -i any dst port 514 -vv" or "tcpdump -i any dst port 25226 -vv")

 

Then create a support ticket if my comment above didn't help.

  • LauraPen's avatar
    LauraPen
    Copper Contributor
    Jun 20, 2019

    Chris Boehm 

    thanks for replying!

    it actually turned out to be a setting in the rsyslog.conf file.  I was setting up logging from 3 diff points, and 2 out of the 3 had the right settings - but the host I wrote about didn't have this uncommented:

    the moral of the story is to never assume that all the files are the same :) 

    # Provides UDP syslog reception
    $ModLoad imudp
    $UDPServerRun 514

    # Provides TCP syslog reception
    $ModLoad imtcp
    $InputTCPServerRun 514