Hi Community,

we will transfer via oms agent checkpoint logs to Azure Sentinel, but we have some trouble und warnings..

The Checkpoint FW sends the logs via CEF to the syslog server.

Have you some ideas whats going wrong or is missing in the config?

Thank you!

--------------------------

omsagent.conf:

<source>

  type tail

  pos_file /backup/syslog/checkpoint/checkpoint.log.pos

  path /backup/syslog/checkpoint/checkpoint.log

  format none

  tag checkpoint

</source>

----------------------

root@XXXXX:~# /opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/$TENANT/conf/omsagent.conf

2021-10-22 08:57:10 +0200 [info]: reading config file path="/etc/opt/microsoft/omsagent/$TENANT/conf/omsagent.conf"

2021-10-22 08:57:10 +0200 [info]: starting fluentd-0.12.40

2021-10-22 08:57:10 +0200 [info]: gem 'fluent-plugin-mdsd' version '0.1.9.pre.build.master.71'

2021-10-22 08:57:10 +0200 [info]: gem 'fluentd' version '0.12.40'

2021-10-22 08:57:10 +0200 [info]: adding source type="tail"

2021-10-22 08:57:10 +0200 [info]: using configuration file: <ROOT>

  <source>

    type tail

    pos_file /backup/syslog/checkpoint/checkpoint.log.pos

    path /backup/syslog/checkpoint/checkpoint.log

    format none

    tag checkpoint

  </source>

</ROOT>

2021-10-22 08:57:10 +0200 [info]: following tail of /backup/syslog/checkpoint/checkpoint.log

2021-10-22 08:57:10 +0200 [warn]: no patterns matched tag="checkpoint"