Official gudelines for running Sentinel and MCAS agents on same on-prem machine

%3CLINGO-SUB%20id%3D%22lingo-sub-2105544%22%20slang%3D%22en-US%22%3EOfficial%20gudelines%20for%20running%20Sentinel%20and%20MCAS%20agents%20on%20same%20on-prem%20machine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2105544%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EWhile%20agents%20are%20not%20yet%20integrated%2C%20can%20we%20get%20a%20recommended%20reference%20setup%20for%20running%20both%20on%20one%20on-prem%20machine%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20goal%20is%20to%20pass%20one%20Syslog%20stream%20from%20on-prem%20firewall%20to%20both%20agents.%20This%20can%20be%20done%20by%3A%3C%2FP%3E%3CP%3E1.%20Sending%20Syslog%20stream%20to%20Linux%2C%3C%2FP%3E%3CP%3E2.%20copy%20the%20stream%20to%20loopback%20port%20(for%20MCAS)%3C%2FP%3E%3CP%3E3.%20saving%20to%20local%20file%20for%20Sentinel%20OMS%20agent.%3C%2FP%3E%3CP%3EJust%20want%20to%20get%20%22certified%22%20config%20for%20rsyslog%20or%2Fand%20syslog-ng%20to%20deliver%20this%20agent%20co-existence%20use%20case.%20And%20want%20to%20avoid%20time%20wasting%20troubleshooting%20any%20well%20known%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20stick%20with%20defaults%20as%20much%20as%20possible%20avoid%20modification%20to%20appliance%20like%20MCAS%20software%20container%2C%20it%20is%20pre-built%20to%20listen%20on%20port%20514.%20If%20there%20is%20syslog-ng%20daemon%20runing%20on%20the%20host%20machine%20the%20default%20port%20can%20be%20busy.%20Docker%20can%20be%20tuned%20by%20updating%20initiation%20string%20like%20this%20%22...%20docker%20run%20--name%20MCASAGENT%20-p%20%3CSTRONG%3E1%3C%2FSTRONG%3E514%3A514%2Fudp%20...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%20like%20this%20is%20discussed%20for%20at%20least%202%20years%2C%20but%20there%20is%20no%20visible%20progress%20with%20this.%3C%2FP%3E%3CP%3Ereferences%20-%20previous%20discussions%20on%20the%20subject%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Fany-plan-to-integrate-send-mcas-activity-events-to-sentinel%2Fm-p%2F2069600%23M1473%22%20target%3D%22_self%22%3EAny%20plan%20to%20integrate%2Fsend%20MCAS%20activity%20events%20to%20Sentinel%20%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Flinux-connectors-mcas-amp-sentinel%2Fm-p%2F776798%22%20target%3D%22_self%22%3ELinux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%20%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Fcloud-discovery-data-import-sentinel-vs-cloud-app-sec%2Fm-p%2F1177140%22%20target%3D%22_self%22%3ECloud%20Discovery%20Data%20Import%20-%20Sentinel%20vs%20Cloud%20App%20Sec%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2105544%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

While agents are not yet integrated, can we get a recommended reference setup for running both on one on-prem machine?

 

The goal is to pass one Syslog stream from on-prem firewall to both agents. This can be done by:

1. Sending Syslog stream to Linux,

2. copy the stream to loopback port (for MCAS)

3. saving to local file for Sentinel OMS agent.

Just want to get "certified" config for rsyslog or/and syslog-ng to deliver this agent co-existence use case. And want to avoid time wasting troubleshooting any well known issues.

 

We would like to stick with defaults as much as possible avoid modification to appliance like MCAS software container, it is pre-built to listen on port 514. If there is syslog-ng daemon runing on the host machine the default port can be busy. Docker can be tuned by updating initiation string like this "... docker run --name MCASAGENT -p 1514:514/udp ..."

 

Looks like this is discussed for at least 2 years, but there is no visible progress with this.

references - previous discussions on the subject:

Any plan to integrate/send MCAS activity events to Sentinel

Linux Connectors - MCAS & Sentinel

Cloud Discovery Data Import - Sentinel vs Cloud App Sec

 

0 Replies