Forum Discussion
Windows Data Collector(instead of Linux) for Firewall Logs
Hi,
I am planning in implementation of Azure Sentinel. As part of it it, I need to design a solution to forward firewall(Palo Alto) logs into sentinel. But the organization uses only Windows OS for whole fleet.
Is there any possibility that I can use Windows OS as on-premises log collector for Sentinel ?
Thanks,
R
- CliveWatson
Microsoft
The built-in PaloAlto connector is for Linux (as I guess you have seen), for Windows you have two choices.
1. Does the Firewall write to the Windows Event log, you could collect the EventId's from there (using the MMA or AMA)? https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview
2. Can you output a custom log file, and use the custom log feature to read that file? https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-custom-logs- Thanks, @Clive. Do you have any reference documentation that I could use to configure Firewall logs to Windows Event Logs ?
- CliveWatsonThis will depend on how the product you use writes its logs, if they go to the Event Viewer on Windows then you can look at https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events , however these will probably be classed as Security Events, so you need to use ASC (see link) or you can use Azure Sentinel https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA
