Oct 22 2021 01:11 AM - edited Oct 22 2021 01:12 AM
Hi Community,
we will transfer via oms agent checkpoint logs to Azure Sentinel, but we have some trouble und warnings..
The Checkpoint FW sends the logs via CEF to the syslog server.
Have you some ideas whats going wrong or is missing in the config?
Thank you!
--------------------------
omsagent.conf:
<source>
type tail
pos_file /backup/syslog/checkpoint/checkpoint.log.pos
path /backup/syslog/checkpoint/checkpoint.log
format none
tag checkpoint
</source>
----------------------
root@XXXXX:~# /opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/$TENANT/conf/omsagent.conf
2021-10-22 08:57:10 +0200 [info]: reading config file path="/etc/opt/microsoft/omsagent/$TENANT/conf/omsagent.conf"
2021-10-22 08:57:10 +0200 [info]: starting fluentd-0.12.40
2021-10-22 08:57:10 +0200 [info]: gem 'fluent-plugin-mdsd' version '0.1.9.pre.build.master.71'
2021-10-22 08:57:10 +0200 [info]: gem 'fluentd' version '0.12.40'
2021-10-22 08:57:10 +0200 [info]: adding source type="tail"
2021-10-22 08:57:10 +0200 [info]: using configuration file: <ROOT>
<source>
type tail
pos_file /backup/syslog/checkpoint/checkpoint.log.pos
path /backup/syslog/checkpoint/checkpoint.log
format none
tag checkpoint
</source>
</ROOT>
2021-10-22 08:57:10 +0200 [info]: following tail of /backup/syslog/checkpoint/checkpoint.log
2021-10-22 08:57:10 +0200 [warn]: no patterns matched tag="checkpoint"