Home

Ingesting custom logs sources and non-Security event logs

%3CLINGO-SUB%20id%3D%22lingo-sub-977161%22%20slang%3D%22en-US%22%3EIngesting%20custom%20logs%20sources%20and%20non-Security%20event%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977161%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20want%20to%20ingest%20a%20Windows%20event%20log%20that%20isn't%20Security%2C%20do%20we%20need%20to%20use%20some%20combination%20of%20WEF%20-%26gt%3B%20PowerShell%20-%26gt%3B%20Syslog%20-%26gt%3B%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20want%20to%20tail%20some%20myapp.log%20file%2C%20can%20the%20agent%20help%20us%20or%20is%20it%20a%20case%20of%20writing%20our%20own%20code%20and%20-%20again%20-%20crafting%20syslog%20messages%20out%20of%20each%20log%20entry%20to%20send%20it%20on%20to%20Sentinel%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-977434%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20custom%20logs%20sources%20and%20non-Security%20event%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977434%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F439770%22%20target%3D%22_blank%22%3E%40ford8k%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20is%20built%20using%20Azure%20Log%20Analytics%2C%20and%20that%20has%20a%20Windows%20Event%20Log%20connector%20(it%20shows%20up%20in%20Log%20Analytics%20not%20in%20the%20Sentinel%20connector%20list).%26nbsp%3B%20So%20you%20can%20use%20that%20to%20connect%20your%20EventLogs.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EIt%20also%20has%20a%20custom%20log%20feature%20so%20importing%20Linux%20or%20Windows%20ascii%20files%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006956%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20custom%20logs%20sources%20and%20non-Security%20event%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006956%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F439770%22%20target%3D%22_blank%22%3E%40ford8k%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EG%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Eoto%20to%20this%20site%20this%20a%20method%20to%20digest%20your%20custom%20logs%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%3C%2FA%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
ford8k
New Contributor

Hi,

 

If we want to ingest a Windows event log that isn't Security, do we need to use some combination of WEF -> PowerShell -> Syslog -> Sentinel?

 

If we want to tail some myapp.log file, can the agent help us or is it a case of writing our own code and - again - crafting syslog messages out of each log entry to send it on to Sentinel?

2 Replies

Hi @ford8k 

 

Azure Sentinel is built using Azure Log Analytics, and that has a Windows Event Log connector (it shows up in Log Analytics not in the Sentinel connector list).  So you can use that to connect your EventLogs.  https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

It also has a custom log feature so importing Linux or Windows ascii files https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies