Sep 17 2020
07:20 AM
- last edited on
Dec 23 2021
04:50 AM
by
TechCommunityAP
Sep 17 2020
07:20 AM
- last edited on
Dec 23 2021
04:50 AM
by
TechCommunityAP
I have followed all the documentation for building the log forwarder VM (Ubunutu) and configuring the Syslog Data Collector. Syslog events from the actual VM are making it into Sentinel no problem, however the Syslog events we have sent from an on-premises firewall (Protectli) to the Log Forwarder VM are not making it into Sentinel. Below is a screenshot showing the logs in question. The logs in question are coming into the VM on TCP Port 514.
Any ideas what I need to do here or what I can try?
Oct 30 2020 03:20 AM
Solution@vhusker1507 I had a similar problem in my test lab. I realised that I needed to enable each syslog 'facility' category that I wanted the agent to collect. Once I had examined the incoming packets at the syslog collector (using tcpdump if I remember) I noticed that they were coming in labelled as facility 'local0' or 'local7' and these weren't enabled on my Sentinel instance.
Within the associated log analytics workspace, check under advanced settings\data\syslog and ensure that you have the appropriate facilities listed to match your incoming packets (image attached). If the correct ones arent listed then they get dropped.
Hope this helps.
Oct 30 2020 03:20 AM
Solution@vhusker1507 I had a similar problem in my test lab. I realised that I needed to enable each syslog 'facility' category that I wanted the agent to collect. Once I had examined the incoming packets at the syslog collector (using tcpdump if I remember) I noticed that they were coming in labelled as facility 'local0' or 'local7' and these weren't enabled on my Sentinel instance.
Within the associated log analytics workspace, check under advanced settings\data\syslog and ensure that you have the appropriate facilities listed to match your incoming packets (image attached). If the correct ones arent listed then they get dropped.
Hope this helps.