Mar 04 2022 03:13 AM
Hi,
I am currently looking at setting up something like this:
Security devices > syslog server > Microsoft Sentinel
In order to tie down/restrict somewhat the access this syslog server has, is there a list of known IPs for Microsoft Sentinel?
Another bonus question please :D
For one of the firewalls (one of the security devices mentioned above) we are looking to send a full set to Sentinel via this syslog server, PLUS a smaller subset of the SAME log (but with only selected columns/fields) to another Log Analytics workspace. This might be outside of scope of the syslog server agent but is there a guide on how to get this setup please?
Many thanks.
JT
Mar 04 2022 03:35 AM
@jt-jt Stealing a post that @CliveWatson wrote in 2020 since syslog currently uses the MMA:
The MMA is owned by the Azure Monitor Team (as is "Log Analytics" a.k.a Azure Monitor Logs), so the docs are under their name not Azure Sentinel: https://docs.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses
Mar 09 2022 03:31 AM - edited Mar 09 2022 03:35 AM
Regarding the bonus question.
Multi-homing (sending logs to multiple workspaces) on Linux is not possible with the traditional Log Analytics Agent (MMA), you would need to use the Azure Monitor Agent(AMA) instead.
AMA can only handle 5000 events per second currently it seems though, so it might not be a real choice when you use syslog.
https://docs.microsoft.com/en-us/azure/sentinel/ama-migrate
If 5000 events per second is not enough, you need to use MMA, which can only connect to a single workspace.