Log Forwarder with multiple log sources to Sentinel

Occasional Contributor

Hello Community,


In a Sentinel project we want to connect some OnPrem log sources to LogAnalytics / Sentinel.
We have OnPrem a Linux VM that acts as a LogForwarder with Syslog-NG and the OMS Agent in version 1.13.40-0.


So kind of at the core of this setup:



We also watched this webinar but not all questions were answered by this.
We have successfully connected Checkpoint Firewall logs in CEF format. Now we also want to connect Citrix Netscaler logs in Syslog format. Currently we are not successful yet.
Can we process CEF and Syslog from multiple sources with one agent or do we have to start the agent with the respective config for each log source?
Our configs:
Checkpoint Konfig:
CEF –with  Checkpoint. Is working fine
OMS Agent Start:

/opt/microsoft/omsagent/ruby/bin/ruby /opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/WorksSpaceID/conf/omsagent_chkp.conf -v -d /tmp/omsagent.pid -o /var/opt/microsoft/omsagent/WorksSpaceID/


type tail
pos_file /backup/syslog/checkpoint/checkpoint.log.pos
path /backup/syslog/checkpoint/checkpoint.log
format none
tag checkpoint
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/


<filter checkpoint.**>
type filter_syslog_security
<match checkpoint>
type out_oms
log_level debug
num_threads 5




destination security_oms { tcp("" port(25226)); };


log { source(s_udp); filter(f_netscaler_sources); destination(d_netscaler_backup); destination(security_oms); };


Netscaler-conf for the omsagent:

Not working



  type syslog

  port 25226


  protocol_type tcp

  tag oms.security

#  format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/

format none

# <parse>

#     message_format auto

#  </parse>



<filter oms.security.**>

  type filter_syslog




<match syslog>

  type out_oms

  log_level debug

  num_threads 5




Command to start the second instance for the Netscaler Logs:


/opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/WorksSpaceID

/conf/omsagent_netscaler.conf -v -d /tmp/omsagent.pid -o /var/opt/microsoft/omsagent/WorksSpaceID/log/omsagent_netscaler.log




2021-12-10 15:10:57 +0100 [warn]: plugin/in_syslog.rb:230:block in parse_text: pattern not match: "\""

2021-12-10 15:10:57 +0100 [debug]: plugin/omslog.rb:10:block in <class:Log>: Failed to get the IP for




The error.

"Failed to get the IP for..." it does for all Netscaler logs. Here probably the format does not fit.

Any ideas?

Thank you ! :)



2 Replies

Hey, did you get anywhere with this?


I'm in a similar position, we've got fw logs coming through as CEF (successfully) and a Citrix Netscaler which the logs are coming into port 514 but the log forwarder is not pushing those logs to port 25226. 


I've created the rules and even tried it on port 25224 ( as per the Sentinel guides for Syslog) but cant seem to get the logs from incoming port 514 to and then sentinel.


I've configured the filters using rsyslog, and added everything needed for the logs.

@Garfield-P  What does the raw message sent by the device look like?

Does if have CEF=0 or  CEF=1?

Cisco is notable to replace parts with ASA, FTD etcetera. Most likely the message does not match the regex