Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AMA Agent - trying to send contents of /var/log/syslog to sentinel

Copper Contributor

Hello,

 

I have an Ubuntu 20.04 log forwarder that is receiving syslog from a network device.  

 

I am using the AMA (even though it is in public preview) as Microsoft recommend, due to the OMS being deprecated.

 

Example contents of /var/log/syslog that I would like to send to Sentinel

 

Jan 16 03:07:14 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM clear_alarm succeeded params:param_1=0 ,alarm_type=65537 ,param_2=0 ,param_3=to_ManchesterOpera2-ECV01_EMEA_Internet_2-EMEA_Internet_2 ,comment=Tunnel state is Down
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2510
Jan 16 03:07:18 Device-ECV01 mgmtd[10834]: Orchestrator@- action ALARM delete_alarm_num succeeded params:alarm_num=2509
Jan 16 03:08:47 Device-ECV01 mgmtd[10834]: Orchestrator@- action SYSTEM key/status succeeded

 

I have set up a DCR to ingest the logs as so (troubleshooting - so enabling everything)

 

sentinel1.png

 

However these events are not being sent to the workspace.

 

When I create a dummy event on the linux log forwarder using the below command, it does appear in Sentinel, which makes me think the AMA connection to Sentinel is OK.

 

logger -p local4.warn -P 514 -n 127.0.0.1 --rfc3164 -t CEF "0|DeviceVendorName-Test16012023|DeviceProduct-Test|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive time"

 

 

sentinel2.png

 

Can anyone assist with what else I need to do to get this working?

 

Thanks

 

 

1 Reply
The procedure is a bit different for VMs in Azure vs on-prem.



I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.



For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)

For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.



A very simple test:

On your linux server, type "logger testing123"

In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.


Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.