Deploying a combined Syslog/CEF forwarder

%3CLINGO-SUB%20id%3D%22lingo-sub-1837288%22%20slang%3D%22en-US%22%3EDeploying%20a%20combined%20Syslog%2FCEF%20forwarder%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1837288%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%20I'm%20planning%20an%20on-prem%20syslog%2FCEF%20forwarder%20and%20the%20documentation%20is%20a%20little%20unclear%20to%20me.%26nbsp%3B%20I%20need%20the%20forwarder%20to%20forward%20CEF%20messages%20from%20sources%20that%20support%20it%2C%20and%20raw%20syslog%20messages%20from%20sources%20that%20don't%20support%20CEF.%26nbsp%3B%20The%20documentation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-cef-agent%3Ftabs%3Drsyslog%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%26nbsp%3Bsuggests%20that%20the%20forwarder%20will%20only%20send%20CEF%20messages%20up%20to%20Sentinel.%26nbsp%3B%20In%20my%20testing%20I%20also%20found%20that%20after%20configuring%20the%20Syslog%20data%20settings%20on%20the%20Log%20Analytics%20workspace%20I%20was%20able%20to%20forward%20raw%20syslog%20messages%20through%20the%20same%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20going%20about%20this%20the%20correct%20way%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStep%203%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-cef-verify%3Ftabs%3Drsyslog%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20page%3C%2FA%3E%20mentions%20that%26nbsp%3B%3CSPAN%3E%2Fetc%2Frsyslog.d%2Fsecurity-config-omsagent.conf%20contains%20'%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-keyword%22%3Eif%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-variable%22%3E%24rawmsg%3C%2FSPAN%3E%3CSPAN%3E%20contains%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-string%22%3E%22CEF%3A%22%3C%2FSPAN%3E%3CSPAN%3E%20or%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-variable%22%3E%24rawmsg%3C%2FSPAN%3E%3CSPAN%3E%20contains%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-string%22%3E%22ASA-%22%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Ethen%3C%2FSPAN%3E%3CSPAN%3E%20%40%40127.0.0.1%3A25226'%20which%20suggested%20that%20plain%20syslog%20messages%20would%20not%20be%20forwarded.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1837511%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20a%20combined%20Syslog%2FCEF%20forwarder%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1837511%22%20slang%3D%22en-US%22%3EAh%20I%20think%20the%20penny%20has%20dropped%20%3A-).%20So%20it%20looks%20as%20though%20rsyslog%20includes%20all%20config%20files%20contained%20within%20%2Fetc%2Frsyslog.d%2F%20and%20processes%20messages%20using%20these%20config%20files%20in%20order.%20So%20I'm%20adding%20an%20additional%20config%20file%20as%20suggested%20by%20Ofer%20Shezaf%20to%20be%20processed%20before%2095-omsagent.conf%2C%20to%20include%20the%20statement%20mentioned%20earlier%20('if%20%24rawmsg%20contains%20%22CEF%3A%22.......).%20Then%20messages%20identified%20as%20CEF%20messages%20will%20be%20processed%20and%20forwarded%2C%20then%20processing%20stops%20to%20prevent%20the%20message%20from%20being%20handled%20by%20the%20general%20syslog%2095-omsagent.conf%20file.%20Raw%20syslog%20messages%20will%20not%20match%20the%20CEF%20rule%20and%20will%20therefore%20be%20handled%20as%20syslog.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20documentation%20could%20be%20much%20clearer%20around%20this%20I%20think.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,  I'm planning an on-prem syslog/CEF forwarder and the documentation is a little unclear to me.  I need the forwarder to forward CEF messages from sources that support it, and raw syslog messages from sources that don't support CEF.  The documentation here suggests that the forwarder will only send CEF messages up to Sentinel.  In my testing I also found that after configuring the Syslog data settings on the Log Analytics workspace I was able to forward raw syslog messages through the same server.

 

Am I going about this the correct way?  

 

Step 3 on this page mentions that /etc/rsyslog.d/security-config-omsagent.conf contains 'if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then @@127.0.0.1:25226' which suggested that plain syslog messages would not be forwarded.  

1 Reply
Ah I think the penny has dropped :-). So it looks as though rsyslog includes all config files contained within /etc/rsyslog.d/ and processes messages using these config files in order. So I'm adding an additional config file as suggested by Ofer Shezaf to be processed before 95-omsagent.conf, to include the statement mentioned earlier ('if $rawmsg contains "CEF:".......). Then messages identified as CEF messages will be processed and forwarded, then processing stops to prevent the message from being handled by the general syslog 95-omsagent.conf file. Raw syslog messages will not match the CEF rule and will therefore be handled as syslog.

The documentation could be much clearer around this I think.