cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ingesting custom logs sources and non-Security event logs

%3CLINGO-SUB%20id%3D%22lingo-sub-977161%22%20slang%3D%22en-US%22%3EIngesting%20custom%20logs%20sources%20and%20non-Security%20event%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977161%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20want%20to%20ingest%20a%20Windows%20event%20log%20that%20isn't%20Security%2C%20do%20we%20need%20to%20use%20some%20combination%20of%20WEF%20-%26gt%3B%20PowerShell%20-%26gt%3B%20Syslog%20-%26gt%3B%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20want%20to%20tail%20some%20myapp.log%20file%2C%20can%20the%20agent%20help%20us%20or%20is%20it%20a%20case%20of%20writing%20our%20own%20code%20and%20-%20again%20-%20crafting%20syslog%20messages%20out%20of%20each%20log%20entry%20to%20send%20it%20on%20to%20Sentinel%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-977434%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20custom%20logs%20sources%20and%20non-Security%20event%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977434%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F439770%22%20target%3D%22_blank%22%3E%40ford8k%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20is%20built%20using%20Azure%20Log%20Analytics%2C%20and%20that%20has%20a%20Windows%20Event%20Log%20connector%20(it%20shows%20up%20in%20Log%20Analytics%20not%20in%20the%20Sentinel%20connector%20list).%26nbsp%3B%20So%20you%20can%20use%20that%20to%20connect%20your%20EventLogs.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EIt%20also%20has%20a%20custom%20log%20feature%20so%20importing%20Linux%20or%20Windows%20ascii%20files%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006956%22%20slang%3D%22en-US%22%3ERe%3A%20Ingesting%20custom%20logs%20sources%20and%20non-Security%20event%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006956%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F439770%22%20target%3D%22_blank%22%3E%40ford8k%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EG%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Eoto%20to%20this%20site%20this%20a%20method%20to%20digest%20your%20custom%20logs%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%3C%2FA%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
ford8k
New Contributor

‎Nov 03 2019 08:01 PM

‎Nov 03 2019 08:01 PM

Ingesting custom logs sources and non-Security event logs

Hi,

 

If we want to ingest a Windows event log that isn't Security, do we need to use some combination of WEF -> PowerShell -> Syslog -> Sentinel?

 

If we want to tail some myapp.log file, can the agent help us or is it a case of writing our own code and - again - crafting syslog messages out of each log entry to send it on to Sentinel?

4,478 Views
0 Likes
3 Replies
Reply
3 Replies
Clive Watson

‎Nov 04 2019 01:04 AM

‎Nov 04 2019 01:04 AM

Re: Ingesting custom logs sources and non-Security event logs

Hi @ford8k 

 

Azure Sentinel is built using Azure Log Analytics, and that has a Windows Event Log connector (it shows up in Log Analytics not in the Sentinel connector list).  So you can use that to connect your EventLogs.  https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

It also has a custom log feature so importing Linux or Windows ascii files https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

1 Like
Reply
Roger_Fleming

‎Nov 13 2019 01:37 PM

‎Nov 13 2019 01:37 PM

Re: Ingesting custom logs sources and non-Security event logs

@ford8k

 

Goto to this site this a method to digest your custom logs:

 

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

 

1 Like
Reply
RenatoCampusGiraldo

‎Sep 10 2021 02:42 AM

‎Sep 10 2021 02:42 AM

Re: Ingesting custom logs sources and non-Security event logs

@Roger_Fleming 

Hi all,

I am facing the same issue, I need to collect custom logs that are written by an application as Windows Events. The links that you put up is only about file based custom logs.

 

Does anyone have an input on how to do this?

0 Likes
Reply