Apr 27 2022 04:40 AM
Do I still need the old log analytics agent to ingest CEF-logs and setup a (fortinet) dataconnector to get proper parsed logs into "commonsecuritylogs" as it seems the AMA can't do that yet (for now)
Or can i use logstash (which uses the rest api) to ingest data into a custom log-table and then transform it to "commonsecuritylog" ? The important part is that I want to use the many data connectors available that are already in Sentinel.
https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash here it says it uses the rest api
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-overview#tables here it says it uses the "custom logs api" to ingest logs which can be transformed to one of the supported built-in tables.
Apr 27 2022 10:22 AM
Apr 27 2022 10:21 PM - edited Apr 27 2022 10:25 PM
Yes, which will be EOL soon. So I don't feel like installing something that is gone or deprecated in 2 years.
So the next logical step would be the AMA, which doesn't support CEF (yet).
That's why i'm looking at logstash, which technically uses the rest api output and (as i understand it) should be able to transform from custom log tables to commonsecuritylogs tables with the new DCE/DCR feature.
So can I use the data connectors (like fortinet, it was just an example) in that scenario?
It seems to me microsoft is just pushing wayyy too many public preview features at the same time and it's getting really confusing which long-term, reliable solution to go for 🙂
Apr 28 2022 02:39 AM
SolutionApr 28 2022 02:39 AM
Solution