Forum Discussion
Sentinel Data collection rule initial setup
I am trying to setup a Data collection rule (common event format (CEF) via AMA) for getting our firewall logs into sentinel via a syslog server, but I am not sure what facility(ies) to use, is there an article about the setup of this (these) rules? I tried doing searches but have found nothing relevant
3 Replies
jimbo31180Hey! Once you have the firewall logs hitting your collector, you can do a TCP dump over port 514 or whatever port your receiving them on to see the facility there coming over 🙂 also depending on your firewall you can set the facility in syslog forwarding setup on your firewall.
- As per my understanding, I enabled LOG_LOCAL0 to LOG_LOCAL7 to ingest firewall logs into sentinel.
Sidra_Raza thank you!!
