Sentinel Data collection rule initial setup

Copper Contributor

I am trying to setup a Data collection rule (common event format (CEF) via AMA) for getting our firewall logs into sentinel via a syslog server, but I am not sure what facility(ies) to use, is there an article about the setup of this (these) rules?  I tried doing searches but have found nothing relevant

Screenshot 2024-08-16 132545.png

3 Replies
As per my understanding, I enabled LOG_LOCAL0 to LOG_LOCAL7 to ingest firewall logs into sentinel.

@Sidra_Raza thank you!! 

@jimbo31180Hey! Once you have the firewall logs hitting your collector, you can do a TCP dump over port 514 or whatever port your receiving them on to see the facility there coming over 🙂 also depending on your firewall you can set the facility in syslog forwarding setup on your firewall.