Azure Sentinel for On premises without MMA agent

%3CLINGO-SUB%20id%3D%22lingo-sub-2146774%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20for%20On%20premises%20without%20MMA%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2146774%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3EI%20have%20a%20use%20case%20where%20customer%20don't%20want%20to%20install%20any%20MMA%20agent%20on%20their%20machines%2FNEs%20to%20collect%20the%20data%20due%20to%20some%20security%20reason%20so%20how%20do%20we%20address%20such%20situation%20and%20what%20is%20the%20work%20around%3F%3C%2FP%3E%3CP%3Emy%20understanding%20i%20should%20go%20for%20syslog%20forwarded%2FCEF%20to%20collect%20the%20on%20premises%20logs%20from%20different%20sources%20and%20send%20it%20to%20Azure%20sentinel%20over%20443%20or%20via%20private%20connect.%20could%20any%20one%20can%20suggest%20if%20this%20will%20work%20or%20any%20workable%20solution.%20Thanks%20a%20lot%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2148936%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20for%20On%20premises%20without%20MMA%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2148936%22%20slang%3D%22en-US%22%3EFor%20Linux%2C%20forwarding%20is%20supported%2C%20Windows%20Event%20Forwarding%20(WEF)%20will%20be%20added%20into%20the%20Azure%20Monitoring%20Agent%20(preview)%20in%20the%20future.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-analytics-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-analytics-agent%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi

I have a use case where customer don't want to install any MMA agent on their machines/NEs to collect the data due to some security reason so how do we address such situation and what is the work around?

my understanding i should go for syslog forwarded/CEF to collect the on premises logs from different sources and send it to Azure sentinel over 443 or via private connect. could any one can suggest if this will work or any workable solution. Thanks a lot

4 Replies
For Linux, forwarding is supported, Windows Event Forwarding (WEF) will be added into the Azure Monitoring Agent (preview) in the future. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
Thanks Clive. So if i understood correctly then it is not necessary to installed the Monitoring agent on any machines or nodes to collect the logs required for sentinel. I am referring this below URL: https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources) for on premise design where all the customer side logs will be placed in syslog forwarder Linux based machine ( Placed at customer premise ) so that sentinel can collect it. So this will avoid placing MMA on any customer machines ( Windows /Linux/NEs ). what is your views or any showstopper ?

@kausiktsi : as @Clive Watson stated, remove collection is currently possible only for Linux and other systems supporting Syslog (which would exclude Windows). See here for details. Remote collection for Windows is planned in the near future.