Failed to configure/use CEF syslog facility

Question

Hello,
&nbsp;
I'm stuck with the configuration of CEF connector as described at&nbsp;https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format. I have chosen to go for an automatic deployment, so I'd expect everything works out of the box, but still I have issues:
- There seems to be no process listening on UDP (or TCP) port 514 in the created VM. I had to modify several lines in the config to enable this.
- When sending messages to this port, nothing gets forwarded to port 25226
- When sending messages directly to port 25226, I encounter the following warning message in omsagent.log:&nbsp;&nbsp;pattern not match: "blabla"
Is there a command line or utility I can use to send a simple CEF text message and have it been acquired by the VM and sent to Sentinel? The CommonSecurityLogs table remains desperately empty...
&nbsp;
Thanks for the help!
&nbsp;
Etienne

rohan cragg · Answer

Thanks&nbsp;Chris Boehm&nbsp;&nbsp;We eventually got this working, and we think (thought not sure) that the problem was more that the logs being sent from Fortinet applicance were not yet in the CEF format - which we went and fixed.&nbsp;Admittedly I did go a try a few other things so not 100% what fixed this for us but we're all good now.

chris boehm · Answer

Rohan Cragg&nbsp;
Etienne Noiret&nbsp;
&nbsp;
Whenever you're configuring the rsyslog service we're pushing a security_events.conf file as part of the integration process ( creating a listener for port 25226 )
&nbsp;
Example in the steps:
&nbsp;
Download and install the security_events config file that configures the Syslog agent to listen on port 25226. 
sudo wget -O /etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf "https://aka.ms/syslog-config-file-linux"
Where {0} should be replaced with your workspace GUID.
&nbsp;
&nbsp;
Security_events.conf
&nbsp;
&lt;source&gt;&nbsp; type syslog&nbsp; port 25226&nbsp; bind 127.0.0.1&nbsp; protocol_type udp&nbsp; tag oms.security&nbsp; format /^(?&lt;time&gt;(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?&lt;host&gt;[^: ]+) ?:?)? (?&lt;ident&gt;[a-zA-Z0-9_%/\.\-]*)(?:$$(?&lt;pid&gt;[0-9]+)$$)?: *(?&lt;message&gt;.*)$/&nbsp; message_length_limit 4096&lt;/source&gt;
&lt;filter oms.security.**&gt;&nbsp; type filter_syslog_security&lt;/filter&gt;
&nbsp;
&nbsp;
You'll note the config file has UDP, please move it to TCP if you're using TCP and restart the service.
This should fix the communication issues
&nbsp;
I'd advise following this doc for testing your communication:&nbsp;https://docs.microsoft.com/en-gb/azure/sentinel/connect-fortinet#step-3-validate-connectivity&nbsp;
&nbsp;

valon_kolica · Answer

Eliav Levi: Is this something you can speak to? &nbsp;

rohan cragg · Answer

@ seem to have a similar problem trying to configure this:https://docs.microsoft.com/en-gb/azure/sentinel/connect-fortinet#step-1-connect-your-fortinet-appliance-using-an-agent

valon_kolica · Answer

Rohan Cragg&nbsp;
&nbsp;
Chris Boehm : Is this something you could help with?
&nbsp;
Ofer_Shezaf&nbsp;

Forum Discussion

Failed to configure/use CEF syslog facility

Share

Resources