Azure Sentinel - Dual Syslog Forwarding

%3CLINGO-SUB%20id%3D%22lingo-sub-1677004%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20-%20Dual%20Syslog%20Forwarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677004%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20CentOS%207%20syslog%20server%20running%20rsyslog%20and%20receiving%20messages%20on%20UDP%20514.%20Is%20it%20supported%20to%20forward%20syslog%20messages%20from%20this%20server%20to%20a%20remote%20collector%20using%20the%20rsyslog%20daemon%20while%20the%20OMS%20agent%20is%20installed%20and%20also%20forwarding%20syslog%20messages%20to%20Azure%20Sentinel%3F%20We%20have%20noticed%20most%20of%20the%20messages%20are%20going%20to%20Azure%20Sentinel%20and%20the%20remote%20syslog%20collector%20only%20receiving%20some%20messages%20so%20because%20of%20the%20messages%20been%20potentially%20split%20both%20the%20remote%20syslog%20collector%20and%20Azure%20Sentinel%20are%20missing%20some%20messages.%20In%20the%20logs%20we%20noticed%20the%20UDP%20buffer%20been%20full%20so%20increased%20the%20buffer%20size%20from%202MB%20to%2025MB.%20Forwarding%20to%20the%20remote%20syslog%20collector%20is%20configured%20like%20this%20in%20the%20rsyslog.conf%20file%20*.*%20%40192.168.2.56%3A514%20and%20the%20Workspace%20has%20all%20the%20syslog%20facilities%20enabled%20with%20all%20severity%20levels.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Senior Member

We have a CentOS 7 syslog server running rsyslog and receiving messages on UDP 514. Is it supported to forward syslog messages from this server to a remote collector using the rsyslog daemon while the OMS agent is installed and also forwarding syslog messages to Azure Sentinel? We have noticed most of the messages are going to Azure Sentinel and the remote syslog collector only receiving some messages so because of the messages been potentially split both the remote syslog collector and Azure Sentinel are missing some messages. In the logs we noticed the UDP buffer been full so increased the buffer size from 2MB to 25MB. Forwarding to the remote syslog collector is configured like this in the rsyslog.conf file *.* @192.168.2.56:514 and the Workspace has all the syslog facilities enabled with all severity levels.

2 Replies
Highlighted
I don't remember how to do it but rsyslog supports forwarding logs to a secondary destination.
Highlighted

@a-balde : to avoid event loss I suggest moving to TCP, using 

 

 *.* @@192.168.2.56:514

 

Naturally, you will need to have to also support TCP on the recieving rsyslog.

 

I would suggest also moving to TCP for sending to Sentinel as described here: "The log forwarder deep dive webinar (plus a bonus: learn how to use it to filter events)":  YouTubeMP4Deck