SOLVED

Azure Sentinel Linux Syslog Agent Configuration

Copper Contributor

Hello All,

 

I looking for help with trying to ingest Cisco NGFWv syslog messages in Azure Sentinel. I've configured my Linux Syslog agent to collect my Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel but, I've been unsuccessful.

 

My Linux syslog agent is receiving syslog messages from my Cisco NGFWv but, isn't forwarding them to Azure Sentinel, even thought my Linux syslog agent is connected (sending heartbeast) to Azure Sentinel.

 

Below is a message I'm seeing when executing the troubleshooting command provide by Azure Sentinel within their configuration instructions:

----------------------------------------------------

Could not locate "CEF" message in tcpdump
Fetching CEF messages from daemon files.
Taking 2 snapshots in 5 seconds diff and compering the amount of CEF messages.
If found increasing CEF messages daemon is receiving CEF messages.
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages
Error: no CEF messages received by the daemon.
Please validate that you do send CEF messages to agent.
Checking daemon incoming connection for tcp and udp
This will take 60 seconds.
sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
Could not locate "CEF" message in tcpdump
Simulating mock data which you can find in your workspace
This will take 60 seconds.
sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:38:46.098278 IP (tos 0x0, ttl 64, id 64704, offset 0, flags [DF], proto TCP (6), length 411)
127.0.0.1.55128 > 127.0.0.1.25226: Flags [P.], cksum 0xff8f (incorrect -> 0x133c), seq 2265321169:2265321528, ack 497104721, win 512, options [nop,nop,TS val 942763643 ecr 942763050], length 359
E.....@.@.>..........Xb.......7Q...........
Mock messages sent and received in daemon incoming port [514] and to the omsagent port [25226].
Notice: To tcp dump manually execute the following command - 'tcpdump -A -ni any port 25226 -vv'
[u'syslog 3437 1 0 15:36 ? 00:00:00 /usr/sbin/rsyslogd -n']
Found rsyslogd process running on this machine.
[]
Warning: please make sure your logging daemon configuration does not store unnecessary logs. This may cause a full disk on your machine, which will disrupt the function of the oms agent installed. For more information:
https://www.rsyslog.com/doc/master/configuration/actions.html
Completed troubleshooting.
Please check Log Analytics to see if your logs are arriving. All events streamed from these appliances appear in raw form in Log Analytics under CommonSecurityLog type
Notice: If no logs appear in workspace try looking at omsagent logs:
tail -f /var/opt/microsoft/omsagent/****/log/omsagent.log
Warning: Make sure that the logs you send comply with RFC 5424.

----------------------------------------------------------------------------

 

Thanks in advance!

4 Replies
best response confirmed by Will_Network (Copper Contributor)
Solution
HI Will,

Please check if you have the security_events.conf file available under /etc/opt/microsoft/omsagent/youur workspaceid/conf/omsagent.d

If not create one and add the below entries in the file.

<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>


<filter oms.security.**>
type filter_syslog_security
</filter>

Also under syslog.conf file available in the same path please change the protocol from UDP to TCP. After changing that to TCP restart using the following command.

sudo service rsyslog restart


After performing the above steps you can go to the /etc/rsyslog.d. Under this you can find 95-omsagent.conf file and change the @127.0.0.1 with @@127.0.0.1 to send the log in tcp.

THis should resolve your issue as it worked for me.

@Will_Network are the mock messages appearing in Sentinel in the CommonSecurityLog?

@pavankemi Hi, I'm facing the same issue and went through all the changes but I get the error . any help would be appreciated .

 

sudo tcpdump -A -ni any port 514 -vv
Could not locate "CEF" message in tcpdump
Fetching CEF messages from daemon files.
Taking 2 snapshots in 5 seconds diff and compering the amount of CEF messages.
If found increasing CEF messages daemon is receiving CEF messages.
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages
Error: no CEF messages received by the daemon.
Please validate that you do send CEF messages to agent.
Checking daemon incoming connection for tcp and udp
This will take 60 seconds.
sudo tcpdump -A -ni any port 25226 -vv
Could not locate "CEF" message in tcpdump

Good Day did you manage to resolve the above?
1 best response

Accepted Solutions
best response confirmed by Will_Network (Copper Contributor)
Solution
HI Will,

Please check if you have the security_events.conf file available under /etc/opt/microsoft/omsagent/youur workspaceid/conf/omsagent.d

If not create one and add the below entries in the file.

<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>


<filter oms.security.**>
type filter_syslog_security
</filter>

Also under syslog.conf file available in the same path please change the protocol from UDP to TCP. After changing that to TCP restart using the following command.

sudo service rsyslog restart


After performing the above steps you can go to the /etc/rsyslog.d. Under this you can find 95-omsagent.conf file and change the @127.0.0.1 with @@127.0.0.1 to send the log in tcp.

THis should resolve your issue as it worked for me.

View solution in original post