Windows Data Collector(instead of Linux) for Firewall Logs

Occasional Contributor

Hi,

 

I am planning in implementation of Azure Sentinel. As part of it it, I need to design a solution to forward firewall(Palo Alto) logs into sentinel. But the organization uses only Windows OS for whole fleet.

 

Is there any possibility that I can use Windows OS as on-premises log collector for Sentinel ?

 

Thanks,

R   

3 Replies
The built-in PaloAlto connector is for Linux (as I guess you have seen), for Windows you have two choices.
1. Does the Firewall write to the Windows Event log, you could collect the EventId's from there (using the MMA or AMA)? https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview
2. Can you output a custom log file, and use the custom log feature to read that file? https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-custom-logs
Thanks, @Clive. Do you have any reference documentation that I could use to configure Firewall logs to Windows Event Logs ?
This will depend on how the product you use writes its logs, if they go to the Event Viewer on Windows then you can look at https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events , however these will probably be classed as Security Events, so you need to use ASC (see link) or you can use Azure Sentinel https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA