cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

AMA agent in linux not sending syslog events

shamed
New Contributor

‎Apr 28 2023 10:23 PM

‎Apr 28 2023 10:23 PM

AMA agent in linux not sending syslog events

We have installed a Linux machine with AMA agent. We have configured DCR at CEF connector page to ingest CEF logs.

 

While i notice CEF logs are being ingested to Sentinel (CommonSecurityEvent) table, i do not see any logs in Syslog table. I have verified in TCPDUMP that there are syslog-formatted messages being sent to the Linux logger.

 

What could be the cause?

Labels:
364 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by shamed (New Contributor)
LucasTrainer

‎Apr 30 2023 11:09 AM

‎Apr 30 2023 11:09 AM

Solution

Re: AMA agent in linux not sending syslog events

It sounds like you might need a second DCR to collect the Syslog events. One DCR will collect CEF, and the second Syslog.
0 Likes
Reply
jeremyhAUS

‎May 03 2023 06:02 PM

‎May 03 2023 06:02 PM

Re: AMA agent in linux not sending syslog events

This is correct. However, you will see that if you do this and enable all facilities on the syslog DCR that ALL events will end up in both tables and you will be paying twice for ingest.
0 Likes
Reply
bobsyouruncle

‎May 05 2023 07:02 AM - edited ‎May 05 2023 08:30 AM

‎May 05 2023 07:02 AM - edited ‎May 05 2023 08:30 AM

Re: AMA agent in linux not sending syslog events

Hi Shamed, I've been down this rabbit hole!


The procedure is a bit different for VMs in Azure vs on-prem.

 

I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.

 

For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)

For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.

 

A very simple test:

On your linux server, type "logger testing123"

In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.


Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.

0 Likes
Reply
shamed

‎May 05 2023 07:07 AM

‎May 05 2023 07:07 AM

Re: AMA agent in linux not sending syslog events

This is right. I just looked at the DCR for CEF, it was sending the logs to CommonSecurityLog. Hence why the Syslog table was empty. Had to create another DCR
0 Likes
Reply
shamed

‎May 05 2023 07:11 AM

‎May 05 2023 07:11 AM

Re: AMA agent in linux not sending syslog events

Yeap the dedup can be achieved by modifying the DCR and adding a transformKQL to drop all CEF events . However you still end up paying for some of the dropped the dropped logs as per article: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations

KQL that drops CEF logs:
source |
where ProcessName !contains “\“CEF\””

From: https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog

0 Likes
Reply