Facility number 13 (log audit)

%3CLINGO-SUB%20id%3D%22lingo-sub-1417693%22%20slang%3D%22en-US%22%3EFacility%20number%2013%20(log%20audit)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1417693%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%20%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20configured%20and%20install%20Linux%20agent%20to%20receive%20syslog%20from%20an%20appliance%20that%20send%20log%20audit%20which%20is%20facility%2013.%3C%2FP%3E%3CP%3Ethe%20configuration%20file%26nbsp%3Betc%2Frsyslog.d%24%20cat%2095-omsagent.conf%20doesnt%20include%20that%20facility%20%2C%20where%20do%20I%20need%20to%20add%20it%20%3F%20any%20hint%20or%20help%20is%20much%20appreciated%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1417693%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%20Connector%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%20linux%20connector%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

Hi All , 

 

I have configured and install Linux agent to receive syslog from an appliance that send log audit which is facility 13.

the configuration file etc/rsyslog.d$ cat 95-omsagent.conf doesnt include that facility , where do I need to add it ? any hint or help is much appreciated 

 

Thanks 

 

1 Reply
Highlighted

Hi @Ousi12 

 

You can write logs to a particular log file by defining in rsyslog.conf file and than you can define the path on Custom logs option under Sentinel advanced setting

Azure Sentinel workspaces --> Azure Sentinel | Settings --> Sentinel -->Advanced settings