AMA Agent - trying to send contents of /var/log/syslog to sentinel

Occasional Contributor

Hello,

 

I have an Ubuntu 20.04 log forwarder that is receiving syslog from a network device.  

 

I am using the AMA (even though it is in public preview) as Microsoft recommend, due to the OMS being deprecated.

 

Example contents of /var/log/syslog that I would like to send to Sentinel

 

Jan 16 03:07:14 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM clear_alarm succeeded params:param_1=0 ,alarm_type=65537 ,param_2=0 ,param_3=to_ManchesterOpera2-ECV01_EMEA_Internet_2-EMEA_Internet_2 ,comment=Tunnel state is Down
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2510
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2509
Jan 16 03:08:47 Device-ECV01 mgmtd[10834]: Orchestrator@- action SYSTEM key/status succeeded

 

I have set up a DCR to ingest the logs as so (troubleshooting - so enabling everything)

 

sentinel1.png

 

However these events are not being sent to the workspace.

 

When I create a dummy event on the linux log forwarder using the below command, it does appear in Sentinel, which makes me think the AMA connection to Sentinel is OK.

 

logger -p local4.warn -P 514 -n 127.0.0.1 --rfc3164 -t CEF "0|DeviceVendorName-Test16012023|DeviceProduct-Test|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive time"

 

 

sentinel2.png

 

Can anyone assist with what else I need to do to get this working?

 

Thanks

 

 

0 Replies