Log Forwarder with multiple log sources to Sentinel

Occasional Contributor

Hello Community,

 

In a Sentinel project we want to connect some OnPrem log sources to LogAnalytics / Sentinel.
We have OnPrem a Linux VM that acts as a LogForwarder with Syslog-NG and the OMS Agent in version 1.13.40-0.

 


So kind of at the core of this setup:

 

GarfieldP_0-1639149690739.png

 
 
We also watched this webinar but not all questions were answered by this.
https://www.youtube.com/watch?v=jtv-k2CyH-g
 
We have successfully connected Checkpoint Firewall logs in CEF format. Now we also want to connect Citrix Netscaler logs in Syslog format. Currently we are not successful yet.
Can we process CEF and Syslog from multiple sources with one agent or do we have to start the agent with the respective config for each log source?
 
Our configs:
Checkpoint Konfig:
CEF –with  Checkpoint. Is working fine
OMS Agent Start:

/opt/microsoft/omsagent/ruby/bin/ruby /opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/WorksSpaceID/conf/omsagent_chkp.conf -v -d /tmp/omsagent.pid -o /var/opt/microsoft/omsagent/WorksSpaceID/

 

omsagent_chkp.conf
<Source>
type tail
pos_file /backup/syslog/checkpoint/checkpoint.log.pos
path /backup/syslog/checkpoint/checkpoint.log
format none
tag checkpoint
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
</source>

 

<filter checkpoint.**>
type filter_syslog_security
</filter>
<match checkpoint>
type out_oms
log_level debug
num_threads 5
</match>

---------------------------------- 

 

Syslog-NG:

destination security_oms { tcp("127.0.0.1" port(25226)); };

 

log { source(s_udp); filter(f_netscaler_sources); destination(d_netscaler_backup); destination(security_oms); };

 

Netscaler-conf for the omsagent:

Not working

 

<source>

  type syslog

  port 25226

  bind 127.0.0.1

  protocol_type tcp

  tag oms.security

#  format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/

format none

# <parse>

#     message_format auto

#  </parse>

</source>

 

<filter oms.security.**>

  type filter_syslog

</filter>

 

 

<match syslog>

  type out_oms

  log_level debug

  num_threads 5

</match>

 

 

Command to start the second instance for the Netscaler Logs:

 

/opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/WorksSpaceID

/conf/omsagent_netscaler.conf -v -d /tmp/omsagent.pid -o /var/opt/microsoft/omsagent/WorksSpaceID/log/omsagent_netscaler.log

 

Error:

 

2021-12-10 15:10:57 +0100 [warn]: plugin/in_syslog.rb:230:block in parse_text: pattern not match: "\""

2021-12-10 15:10:57 +0100 [debug]: plugin/omslog.rb:10:block in <class:Log>: Failed to get the IP for

------------------------

 

 

The error.

"Failed to get the IP for..." it does for all Netscaler logs. Here probably the format does not fit.

Any ideas?

Thank you ! :)

 

 

0 Replies