Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AMA Agent - trying to send contents of /var/log/syslog to sentinel

Copper Contributor



I have an Ubuntu 20.04 log forwarder that is receiving syslog from a network device.  


I am using the AMA (even though it is in public preview) as Microsoft recommend, due to the OMS being deprecated.


Example contents of /var/log/syslog that I would like to send to Sentinel


Jan 16 03:07:14 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM clear_alarm succeeded params:param_1=0 ,alarm_type=65537 ,param_2=0 ,param_3=to_ManchesterOpera2-ECV01_EMEA_Internet_2-EMEA_Internet_2 ,comment=Tunnel state is Down
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2510
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2509
Jan 16 03:08:47 Device-ECV01 mgmtd[10834]: Orchestrator@- action SYSTEM key/status succeeded


I have set up a DCR to ingest the logs as so (troubleshooting - so enabling everything)




However these events are not being sent to the workspace.


When I create a dummy event on the linux log forwarder using the below command, it does appear in Sentinel, which makes me think the AMA connection to Sentinel is OK.


logger -p local4.warn -P 514 -n --rfc3164 -t CEF "0|DeviceVendorName-Test16012023|DeviceProduct-Test|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive time"





Can anyone assist with what else I need to do to get this working?





1 Reply
The procedure is a bit different for VMs in Azure vs on-prem.

I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.

For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)

For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.

A very simple test:

On your linux server, type "logger testing123"

In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.

Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.