SOLVED
Home

Connector for on-premises windows to azure sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-871802%22%20slang%3D%22en-US%22%3EConnector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-871802%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EIn%20our%20on-premises%20environment%2C%20we%20set%20up%20a%20windows%20with%20wiki%20syslog%20to%20collect%20the%20logs%20from%20servers%2C%20switches%2C%20firewalls%2C%20%E2%80%A6%3C%2FP%3E%3CP%3EHow%20can%20I%20upload%20the%20logs%20from%20on-premises%20to%20azure%20sentinel%20%3F%3C%2FP%3E%3CP%3EI%20see%20that%20azure%20sentinel%20only%20supports%20installing%20agent%20on%20only%20Linux%20(which%20is%20syslog%20or%20cef%20connectors).%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-872526%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-872526%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414156%22%20target%3D%22_blank%22%3E%40James_Ha_Nguyen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20has%20CEF%20and%20Syslog%20Data%20connectors%2C%20Sentinel%20uses%20Log%20Analytics%20which%20has%20both%20an%20agent%20for%20Linux%20(Syslog%20v1)%20and%20Windows.%26nbsp%3B%20Go%20to%20the%20%22workspace%20settings%22%20menu%20in%20Sentinel%2C%20then%20%22advanced%20settings%22%20and%20add%20the%20agent%20for%20Windows.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fservices-hub%2Fhealth%2Fmma-setup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fservices-hub%2Fhealth%2Fmma-setup%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-873861%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-873861%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20for%20your%20help.%3C%2FP%3E%3CP%3EIt%20works%20for%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-885700%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-885700%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20have%20installed%20the%20MMA%20on%20my%20host%20and%20I%20can%20see%20the%20connection%20is%20Up%20and%20Successful.%20But%20I%20don't%20observe%20any%20log%20anayltics%20on%20my%20Sentinel%20Workspace.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20additional%20configurations%20to%20be%20set%20up%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Attached%20is%20the%20screenshot%20from%20MMA)%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20551px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134917i06EFECADA4C09F88%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MMA.GIF%22%20title%3D%22MMA.GIF%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-885992%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-885992%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F417979%22%20target%3D%22_blank%22%3E%40smhasn%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20this%20Windows%20or%20Linux%3F%26nbsp%3B%20Troubleshooting%20steps%20for%20both%20are%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-manage%23next-steps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-manage%23next-steps%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20long%20have%20you%20waited%2C%20some%20times%20depending%20on%20data%20type%20it%20can%20take%20a%20while%3F%26nbsp%3B%20Are%20you%20using%20a%20OMS%20Gateway%20or%20direct%20connected%20to%20Log%20Analytics%20to%20the%20agent%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-886075%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-886075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20on%20a%20Windows%20Host%2C%20I%20installed%20the%20MMA%20(64-bit)%20as%20Add%20Connector%20for%20my%20Sentinel%20Workspace%20and%20it%20is%20been%20more%20than%2012%20hours%20of%20my%20configuration.%20But%20I%20can%20only%20receive%20HeartBeat%20events%20from%20this%20connector.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-890897%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890897%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20going%20through%20link%2C%20but%20nothing%20helped.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anything%20that%20I%20am%20missing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-891257%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-891257%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F417979%22%20target%3D%22_blank%22%3E%40smhasn%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20%3CSTRONG%3EHeartbeat%3C%2FSTRONG%3E%20data%20then%20the%20MMA%20is%20working%2C%20what%20other%20data%20were%20you%20expecting%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FLogsBlade%2FresourceId%2F%252Fsubscriptions%252F82931e73-05c6-4da8-a666-bc4a7dd1bd3e%252Fresourcegroups%252Ffabrikamltdprodrg%252Fproviders%252Fmicrosoft.operationalinsights%252Fworkspaces%252Ffabrikamltdprod%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA%25252FNITSwqSUpNLOHlqlEoLs3NTSzKrEpVSM4vzSvR0FRIqlRwzs8tKC1JLeICAB%25252Fv%25252FkQrAAAA%2Ftimespan%2FP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20Run%20Query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20added%20other%20data%20to%20be%20collected%20in%20'advanced%20settings'%20-%20Data%26nbsp%3B%20e.g.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-892732%22%20slang%3D%22en-US%22%3ERe%3A%20Connector%20for%20on-premises%20windows%20to%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-892732%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20this%20works%20now..%3C%2FP%3E%3C%2FLINGO-BODY%3E
James_Ha_Nguyen
New Contributor

Hi,

In our on-premises environment, we set up a windows with wiki syslog to collect the logs from servers, switches, firewalls, …

How can I upload the logs from on-premises to azure sentinel ?

I see that azure sentinel only supports installing agent on only Linux (which is syslog or cef connectors).

Thank you very much for your help.

8 Replies
Solution

@James_Ha_Nguyen 

 

Azure Sentinel has CEF and Syslog Data connectors, Sentinel uses Log Analytics which has both an agent for Linux (Syslog v1) and Windows.  Go to the "workspace settings" menu in Sentinel, then "advanced settings" and add the agent for Windows.

 

https://docs.microsoft.com/en-us/services-hub/health/mma-setup 

@Clive Watson 

Thank you very much for your help.

It works for me.

@Clive Watson

I have installed the MMA on my host and I can see the connection is Up and Successful. But I don't observe any log anayltics on my Sentinel Workspace.

 

Are there any additional configurations to be set up?

 

(Attached is the screenshot from MMA)MMA.GIF 

@smhasn 

 

Is this Windows or Linux?  Troubleshooting steps for both are here: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-manage#next-steps  

 

How long have you waited, some times depending on data type it can take a while?  Are you using a OMS Gateway or direct connected to Log Analytics to the agent?

@Clive Watson

 

It is on a Windows Host, I installed the MMA (64-bit) as Add Connector for my Sentinel Workspace and it is been more than 12 hours of my configuration. But I can only receive HeartBeat events from this connector. 

@Clive Watson

 

I tried going through link, but nothing helped. 

 

Is there anything that I am missing.

@smhasn 

 

If you have Heartbeat data then the MMA is working, what other data were you expecting?

 

Go to Log Analytics and Run Query

 

Have you added other data to be collected in 'advanced settings' - Data  e.g. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

 

 

 

@Clive Watson 

 

Thanks, this works now..

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies