Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

AMA agent in linux not sending syslog events

Copper Contributor

We have installed a Linux machine with AMA agent. We have configured DCR at CEF connector page to ingest CEF logs.

 

While i notice CEF logs are being ingested to Sentinel (CommonSecurityEvent) table, i do not see any logs in Syslog table. I have verified in TCPDUMP that there are syslog-formatted messages being sent to the Linux logger.

 

What could be the cause?

5 Replies
best response confirmed by shamed (Copper Contributor)
Solution
It sounds like you might need a second DCR to collect the Syslog events. One DCR will collect CEF, and the second Syslog.
This is correct. However, you will see that if you do this and enable all facilities on the syslog DCR that ALL events will end up in both tables and you will be paying twice for ingest.

Hi Shamed, I've been down this rabbit hole!


The procedure is a bit different for VMs in Azure vs on-prem.

 

I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.

 

For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)

For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.

 

A very simple test:

On your linux server, type "logger testing123"

In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.


Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.

This is right. I just looked at the DCR for CEF, it was sending the logs to CommonSecurityLog. Hence why the Syslog table was empty. Had to create another DCR
Yeap the dedup can be achieved by modifying the DCR and adding a transformKQL to drop all CEF events . However you still end up paying for some of the dropped the dropped logs as per article: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations

KQL that drops CEF logs:
source |
where ProcessName !contains “\“CEF\””

From: https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog

1 best response

Accepted Solutions
best response confirmed by shamed (Copper Contributor)
Solution
It sounds like you might need a second DCR to collect the Syslog events. One DCR will collect CEF, and the second Syslog.

View solution in original post