Forum Discussion
Log Forwarder with multiple log sources to Sentinel
Hello Community,
In a Sentinel project we want to connect some OnPrem log sources to LogAnalytics / Sentinel.
We have OnPrem a Linux VM that acts as a LogForwarder with Syslog-NG and the OMS Agent in version 1.13.40-0.
So kind of at the core of this setup:
We also watched this webinar but not all questions were answered by this.
https://www.youtube.com/watch?v=jtv-k2CyH-g
We have successfully connected Checkpoint Firewall logs in CEF format. Now we also want to connect Citrix Netscaler logs in Syslog format. Currently we are not successful yet.
Can we process CEF and Syslog from multiple sources with one agent or do we have to start the agent with the respective config for each log source?
Our configs:
Checkpoint Konfig:
CEF –with Checkpoint. Is working fine
OMS Agent Start:
/opt/microsoft/omsagent/ruby/bin/ruby /opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/WorksSpaceID/conf/omsagent_chkp.conf -v -d /tmp/omsagent.pid -o /var/opt/microsoft/omsagent/WorksSpaceID/
omsagent_chkp.conf
<Source>
type tail
pos_file /backup/syslog/checkpoint/checkpoint.log.pos
path /backup/syslog/checkpoint/checkpoint.log
format none
tag checkpoint
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
</source>
<filter checkpoint.**>
type filter_syslog_security
</filter>
<match checkpoint>
type out_oms
log_level debug
num_threads 5
</match>
----------------------------------
Syslog-NG:
destination security_oms { tcp("127.0.0.1" port(25226)); };
log { source(s_udp); filter(f_netscaler_sources); destination(d_netscaler_backup); destination(security_oms); };
Netscaler-conf for the omsagent:
Not working
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
# format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
format none
# <parse>
# message_format auto
# </parse>
</source>
<filter oms.security.**>
type filter_syslog
</filter>
<match syslog>
type out_oms
log_level debug
num_threads 5
</match>
Command to start the second instance for the Netscaler Logs:
/opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/WorksSpaceID
/conf/omsagent_netscaler.conf -v -d /tmp/omsagent.pid -o /var/opt/microsoft/omsagent/WorksSpaceID/log/omsagent_netscaler.log
Error:
2021-12-10 15:10:57 +0100 [warn]: plugin/in_syslog.rb:230:block in parse_text: pattern not match: "\""
2021-12-10 15:10:57 +0100 [debug]: plugin/omslog.rb:10:block in <class:Log>: Failed to get the IP for
------------------------
The error.
"Failed to get the IP for..." it does for all Netscaler logs. Here probably the format does not fit.
Any ideas?
Thank you ! 🙂
Hey, did you get anywhere with this?
I'm in a similar position, we've got fw logs coming through as CEF (successfully) and a Citrix Netscaler which the logs are coming into port 514 but the log forwarder is not pushing those logs to port 25226.
I've created the rules and even tried it on port 25224 ( as per the Sentinel guides for Syslog) but cant seem to get the logs from incoming port 514 to 127.0.0.1:25226 and then sentinel.
I've configured the filters using rsyslog, and added everything needed for the logs.
Garfield-P What does the raw message sent by the device look like?
Does if have CEF=0 or CEF=1?
Cisco is notable to replace parts with ASA, FTD etcetera. Most likely the message does not match the regex
