Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

log via syslog server agent to Azure Sentinel (list of IPs?) & dual agent to two Log Analytics space

Copper Contributor

Hi,

I am currently looking at setting up something like this:

Security devices > syslog server > Microsoft Sentinel

In order to tie down/restrict somewhat the access this syslog server has, is there a list of known IPs for Microsoft Sentinel?

 

Another bonus question please :D

For one of the firewalls (one of the security devices mentioned above) we are looking to send a full set to Sentinel via this syslog server, PLUS a smaller subset of the SAME log (but with only selected columns/fields) to another Log Analytics workspace. This might be outside of scope of the syslog server agent but is there a guide on how to get this setup please?

 

Many thanks.

JT

2 Replies

@jt-jt  Stealing a post that @CliveWatson wrote in 2020 since syslog currently uses the MMA:

 

The MMA is owned by the Azure Monitor Team (as is "Log Analytics" a.k.a Azure Monitor Logs), so the docs are under their name not Azure Sentinel: https://docs.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses

Regarding the bonus question.

Multi-homing (sending logs to multiple workspaces) on Linux is not possible with the traditional Log Analytics Agent (MMA), you would need to use the Azure Monitor Agent(AMA) instead.

AMA can only handle 5000 events per second currently it seems though, so it might not be a real choice when you use syslog.
https://docs.microsoft.com/en-us/azure/sentinel/ama-migrate

If 5000 events per second is not enough, you need to use MMA, which can only connect to a single workspace.