cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Data Collector(instead of Linux) for Firewall Logs

msraj
Copper Contributor

‎Jul 18 2021 10:42 PM

‎Jul 18 2021 10:42 PM

Windows Data Collector(instead of Linux) for Firewall Logs

Hi,

 

I am planning in implementation of Azure Sentinel. As part of it it, I need to design a solution to forward firewall(Palo Alto) logs into sentinel. But the organization uses only Windows OS for whole fleet.

 

Is there any possibility that I can use Windows OS as on-premises log collector for Sentinel ?

 

Thanks,

R   

720 Views
0 Likes
3 Replies
Reply
3 Replies
CliveWatson

‎Jul 19 2021 01:35 AM

‎Jul 19 2021 01:35 AM

Re: Windows Data Collector(instead of Linux) for Firewall Logs

The built-in PaloAlto connector is for Linux (as I guess you have seen), for Windows you have two choices.
1. Does the Firewall write to the Windows Event log, you could collect the EventId's from there (using the MMA or AMA)? https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview
2. Can you output a custom log file, and use the custom log feature to read that file? https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-custom-logs
1 Like
Reply
msraj

‎Jul 19 2021 08:22 PM

‎Jul 19 2021 08:22 PM

Re: Windows Data Collector(instead of Linux) for Firewall Logs

Thanks, @Clive. Do you have any reference documentation that I could use to configure Firewall logs to Windows Event Logs ?
0 Likes
Reply
CliveWatson

‎Jul 19 2021 11:17 PM

‎Jul 19 2021 11:17 PM

Re: Windows Data Collector(instead of Linux) for Firewall Logs

This will depend on how the product you use writes its logs, if they go to the Event Viewer on Windows then you can look at https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events , however these will probably be classed as Security Events, so you need to use ASC (see link) or you can use Azure Sentinel https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA
1 Like
Reply