Ingesting custom logs sources and non-Security event logs

ford8k · ‎11-03-2019

Hi,

If we want to ingest a Windows event log that isn't Security, do we need to use some combination of WEF -> PowerShell -> Syslog -> Sentinel?

If we want to tail some myapp.log file, can the agent help us or is it a case of writing our own code and - again - crafting syslog messages out of each log entry to send it on to Sentinel?

Clive Watson · ‎11-04-2019

Hi @ford8k

Azure Sentinel is built using Azure Log Analytics, and that has a Windows Event Log connector (it shows up in Log Analytics not in the Sentinel connector list). So you can use that to connect your EventLogs. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

It also has a custom log feature so importing Linux or Windows ascii files https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

Roger_Fleming · ‎11-13-2019

@ford8k

Goto to this site this a method to digest your custom logs:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

Ingesting custom logs sources and non-Security event logs

Ingesting custom logs sources and non-Security event logs

Re: Ingesting custom logs sources and non-Security event logs

Re: Ingesting custom logs sources and non-Security event logs