cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Sentinel - Dual Syslog Forwarding

a-balde
Copper Contributor

‎Sep 17 2020 12:50 AM - edited ‎Sep 17 2020 01:47 AM

‎Sep 17 2020 12:50 AM - edited ‎Sep 17 2020 01:47 AM

Azure Sentinel - Dual Syslog Forwarding

We have a CentOS 7 syslog server running rsyslog and receiving messages on UDP 514. Is it supported to forward syslog messages from this server to a remote collector using the rsyslog daemon while the OMS agent is installed and also forwarding syslog messages to Azure Sentinel? We have noticed most of the messages are going to Azure Sentinel and the remote syslog collector only receiving some messages so because of the messages been potentially split both the remote syslog collector and Azure Sentinel are missing some messages. In the logs we noticed the UDP buffer been full so increased the buffer size from 2MB to 25MB. Forwarding to the remote syslog collector is configured like this in the rsyslog.conf file *.* @192.168.2.56:514 and the Workspace has all the syslog facilities enabled with all severity levels.

1,611 Views
0 Likes
2 Replies
Reply
2 Replies
mergene

‎Sep 17 2020 11:54 AM

‎Sep 17 2020 11:54 AM

Re: Azure Sentinel - Dual Syslog Forwarding

I don't remember how to do it but rsyslog supports forwarding logs to a secondary destination.
0 Likes
Reply
Ofer_Shezaf

‎Sep 19 2020 07:29 AM

‎Sep 19 2020 07:29 AM

Re: Azure Sentinel - Dual Syslog Forwarding

@a-balde : to avoid event loss I suggest moving to TCP, using 

 

 *.* @@192.168.2.56:514

 

Naturally, you will need to have to also support TCP on the recieving rsyslog.

 

I would suggest also moving to TCP for sending to Sentinel as described here: "The log forwarder deep dive webinar (plus a bonus: learn how to use it to filter events)":  YouTubeMP4Deck

 

 

0 Likes
Reply