Apr 20 2020 03:21 PM - edited Apr 21 2020 02:55 PM
Hi everyone,
I have a CentOS machine and a Syslog collector. Whenever I run the commands below on the Syslog collector similar to this post, CEF messages are parsed and showing up under CommonSecurityLog
logger -p local4.warn -t CEF "CEF:0|Microsoft|ATA|1.9.0.0|EncryptionDowngradeSuspiciousActivity|Encryption downgrade activity|5|start=2018-12-12T18:10:35.0334169Z app=Kerberos msg=The encryption method of the TGT field of TGS_REQ message from W2012R2-000000-Server has been downgraded based on previously learned behavior. This may be a result of a Golden Ticket in-use on W2012R2-000000-Server. externalId=2009 cs1Label=url cs1=https://192.168.0.220/suspiciousActivity/5c114f938ca1ec1250cafcfa"
logger -p local4.warn -t CEF "CEF:0|Microsoft|ATA|1.9.0.0|EncryptionDowngradeSuspiciousActivity|Encryption downgrade activity|5|start=2018-12-12T17:00:31.2975188Z app=Kerberos msg=The encryption method of the Encrypted_Timestamp field of AS_REQ message from W2012R2-000000-Server has been downgraded based on previously learned behavior. This may be a result of a credential theft using Overpass-the-Hash from W2012R2-000000-Server. externalId=2010 cs1Label=url cs1=https://192.168.0.220/suspiciousActivity/5c113eaf8ca1ec1250ca0883"
But if i'm doing the same commands on my CentOS server and redirecting the output to the Syslog server via port 514, the messages are not under CommonSecurityLog anymore but Syslog although the format remains the same. Everything is obviously grouped into the SyslogMessage field.
Any idea why this doesn't work with Sentinel? I have other SIEM background and my method works wonder. I tried everything and still couldn't pinpoint to why logs would not be forwarded at all to the Analytics agent.
Thanks,
Apr 21 2020 02:52 PM
security_events.conf
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
security-config-omsagent.conf
:rawmsg, regex, "CEF\|ASA" ~ *.* @@127.0.0.1:25226
No error spotted in:
/var/opt/microsoft/omsagent/<workspace-id>/log/omsagent.log
root@my-syslogserv:~# netstat -anp | grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 5836/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 5836/rsyslogd
udp 0 0 0.0.0.0:48723 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:42005 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:38190 0.0.0.0:* 5836/rsyslogd
udp 0 0 0.0.0.0:34139 0.0.0.0:* 5836/rsyslogd
udp6 0 0 :::514 :::* 5836/rsyslogd
unix 2 [ ] DGRAM 22952 1/init /run/systemd/journal/syslog
unix 2 [ ] DGRAM 57903 5836/rsyslogd
root@my-syslogserv:~# netstat -anp | grep ruby
tcp 0 0 0.0.0.0:25325 0.0.0.0:* LISTEN 5940/ruby
udp 0 0 127.0.0.1:25225 0.0.0.0:* 5940/ruby
udp 0 0 127.0.0.1:25226 0.0.0.0:* 5940/ruby
Only error while running the test script
sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py <workspace-id>
Error: Could not locate 'omsagent' trying to validate by checking the process
Aug 02 2021 07:36 PM
@Mikado1080 Were you able to find a resolution to this issue? I'm experiencing the same.
Mar 21 2023 09:20 AM