OMSAgent - CEF logs are sent but not appearing in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1522802%22%20slang%3D%22en-US%22%3EOMSAgent%20-%20CEF%20logs%20are%20sent%20but%20not%20appearing%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522802%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20trying%20to%20forward%20CEF%20logs%20to%20Sentinel%20using%20an%20oms-agent%20instance.%20We%20have%20successfully%20onboarded%20the%20logs%20at%20first%2C%20but%20after%20about%20an%20hour%2C%20logs%20stopped%20appearing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20turned%20on%20the%20debug%20logs%20for%20the%20agent%2C%20which%20showed%20that%20logs%20were%20being%20sent%20successfully%20to%20the%20workspace.%20Furthermore%2C%20heartbeat%20logs%20keep%20appearing%20in%20Sentinel%20too.%3C%2FP%3E%3CP%3ERsyslog%20is%20properly%20configured%2C%20and%20tcpdump%20indeed%20also%20shows%20traffic%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20what%20may%20cause%20the%20logs%20to%20stop%20appearing%20in%20the%20log%20analytics%20workspace%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1523385%22%20slang%3D%22en-US%22%3ERe%3A%20OMSAgent%20-%20CEF%20logs%20are%20sent%20but%20not%20appearing%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523385%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F697265%22%20target%3D%22_blank%22%3E%40csmits%3C%2FA%3E%26nbsp%3BI%20suspect%20this%20might%20have%20to%20do%20proper%20parsing.%20How%20are%20your%20forwarding%20rules%20configured%20on%20the%20originating%20device%3F%20What%20type%20of%20device%20is%20it%3F%20Had%20something%20similar%20happen%20working%20with%20a%20customer%20recently%20which%20led%20to%20this%20blog%20post%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F07%2F06%2Ftips-for-parsing-syslog-to-azure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F07%2F06%2Ftips-for-parsing-syslog-to-azure-sentinel%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1525696%22%20slang%3D%22en-US%22%3ERe%3A%20OMSAgent%20-%20CEF%20logs%20are%20sent%20but%20not%20appearing%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1525696%22%20slang%3D%22en-US%22%3EI%20was%20having%20transient%20issue%20yesterday%20where%20I%20would%20load%20CEF%20logs%20and%20not%20be%20able%20to%20query%20them%20until%201hr%20later%20even%20though%20the%20ingestion_time()%20indicated%20they%20only%20took%2020s%20to%20arrive.%20Shortly%20after%20all%20the%20logs%20disappeared%20again...%20it%20was%20another%20hour%20after%20that%20before%20I%20could%20see%20them%20all%20again%20%3AS.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20was%20the%20first%20time%20loading%20CEF%20logs%20into%20this%20account%2C%20perhaps%20there's%20some%20latency%20in%20the%20setup%20process%20for%20the%20first%20logs%20that%20come%20through%20%F0%9F%A4%B7%E2%80%8D%3Amale_sign%3A%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532548%22%20slang%3D%22en-US%22%3ERe%3A%20OMSAgent%20-%20CEF%20logs%20are%20sent%20but%20not%20appearing%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532548%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3EThanks%20for%20the%20insight.%20It%20is%20a%20Check%20Point%20device%2C%20and%20the%20%22Check%20Point%22%20connector%20has%20turned%20green%20and%20is%20thus%20active.%20I%20suspect%20the%20parsing%20is%20okay%2C%20because%20ingestion%20does%20happen.%3C%2FP%3E%3CP%3EHowever%2C%20it%20looks%20like%20the%20ingestion%20is%20hitting%20some%20rate%20limits.%20Logs%20start%20reappearing%20every%20day%20between%2012%3A00%20and%2013%3A00%2C%20after%20which%20they%20stop%20showing%20for%2024%20hours.%20This%20is%20a%20repetitive%20cycle.%20I%20will%20check%20back%20to%20see%20what%20kind%20of%20response%20is%20sent%20when%20data%20is%20ingested%20(the%20omsagent%20logs%20still%20show%3A%20%22successfully%20sent%20logs%22).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1550031%22%20slang%3D%22en-US%22%3ERe%3A%20OMSAgent%20-%20CEF%20logs%20are%20sent%20but%20not%20appearing%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1550031%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F697265%22%20target%3D%22_blank%22%3E%40csmits%3C%2FA%3E%26nbsp%3B%3A%20I%20think%20such%20an%20issue%20is%20hard%20to%20resolve%20in%20the%20community%20and%20is%20very%20important%20for%20us%20to%20resolve.%20Can%20you%20open%20a%20support%20ticket%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

We are trying to forward CEF logs to Sentinel using an oms-agent instance. We have successfully onboarded the logs at first, but after about an hour, logs stopped appearing.

 

We have turned on the debug logs for the agent, which showed that logs were being sent successfully to the workspace. Furthermore, heartbeat logs keep appearing in Sentinel too.

Rsyslog is properly configured, and tcpdump indeed also shows traffic as expected.

 

Any idea what may cause the logs to stop appearing in the log analytics workspace?

 

Thanks in advance!

4 Replies
Highlighted

@csmits I suspect this might have to do proper parsing. How are your forwarding rules configured on the originating device? What type of device is it? Had something similar happen working with a customer recently which led to this blog post:

 

https://secureinfra.blog/2020/07/06/tips-for-parsing-syslog-to-azure-sentinel/

Highlighted
I was having transient issue yesterday where I would load CEF logs and not be able to query them until 1hr later even though the ingestion_time() indicated they only took 20s to arrive. Shortly after all the logs disappeared again... it was another hour after that before I could see them all again :S.

This was the first time loading CEF logs into this account, perhaps there's some latency in the setup process for the first logs that come through 🤷‍:male_sign:
Highlighted

@rodtrentThanks for the insight. It is a Check Point device, and the "Check Point" connector has turned green and is thus active. I suspect the parsing is okay, because ingestion does happen.

However, it looks like the ingestion is hitting some rate limits. Logs start reappearing every day between 12:00 and 13:00, after which they stop showing for 24 hours. This is a repetitive cycle. I will check back to see what kind of response is sent when data is ingested (the omsagent logs still show: "successfully sent logs").

Highlighted

@csmits : I think such an issue is hard to resolve in the community and is very important for us to resolve. Can you open a support ticket?