cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CEF messages not parsed from remote host

Mikado1080
Copper Contributor

‎Apr 20 2020 03:21 PM - edited ‎Apr 21 2020 02:55 PM

‎Apr 20 2020 03:21 PM - edited ‎Apr 21 2020 02:55 PM

CEF messages not parsed from remote host

Hi everyone,

 

I have a CentOS machine and a Syslog collector. Whenever I run the commands below on the Syslog collector similar to this post, CEF messages are parsed and showing up under CommonSecurityLog 

 

logger -p local4.warn -t CEF "CEF:0|Microsoft|ATA|1.9.0.0|EncryptionDowngradeSuspiciousActivity|Encryption downgrade activity|5|start=2018-12-12T18:10:35.0334169Z app=Kerberos msg=The encryption method of the TGT field of TGS_REQ message from W2012R2-000000-Server has been downgraded based on previously learned behavior. This may be a result of a Golden Ticket in-use on W2012R2-000000-Server. externalId=2009 cs1Label=url cs1=https://192.168.0.220/suspiciousActivity/5c114f938ca1ec1250cafcfa"

logger -p local4.warn -t CEF "CEF:0|Microsoft|ATA|1.9.0.0|EncryptionDowngradeSuspiciousActivity|Encryption downgrade activity|5|start=2018-12-12T17:00:31.2975188Z app=Kerberos msg=The encryption method of the Encrypted_Timestamp field of AS_REQ message from W2012R2-000000-Server has been downgraded based on previously learned behavior. This may be a result of a credential theft using Overpass-the-Hash from W2012R2-000000-Server. externalId=2010 cs1Label=url cs1=https://192.168.0.220/suspiciousActivity/5c113eaf8ca1ec1250ca0883"

 

 

 

But if i'm doing the same commands on my CentOS server and redirecting the output to the Syslog server via port 514, the messages are not under CommonSecurityLog anymore but Syslog although the format remains the same. Everything is obviously grouped into the SyslogMessage field.

 

Any idea why this doesn't work with Sentinel? I have other SIEM background and my method works wonder. I tried everything and still couldn't pinpoint to why logs would not be forwarded at all to the Analytics agent.

 

Thanks,

1,654 Views
0 Likes
3 Replies
Reply
3 Replies
Mikado1080

‎Apr 21 2020 02:52 PM

‎Apr 21 2020 02:52 PM

Re: CEF messages not parsed from remote host

security_events.conf

 

 

<source>
  type syslog
  port 25226
  bind 127.0.0.1
  protocol_type tcp
  tag oms.security
  format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
  <parse>
     message_format auto
  </parse>
</source>

 

security-config-omsagent.conf

 

 

:rawmsg, regex, "CEF\|ASA" ~ *.* @@127.0.0.1:25226

 

No error spotted in:

 

 

/var/opt/microsoft/omsagent/<workspace-id>/log/omsagent.log

 

 

 

 

root@my-syslogserv:~# netstat -anp | grep syslog
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      5836/rsyslogd
tcp6       0      0 :::514                  :::*                    LISTEN      5836/rsyslogd
udp        0      0 0.0.0.0:48723           0.0.0.0:*                           5836/rsyslogd
udp        0      0 0.0.0.0:514             0.0.0.0:*                           5836/rsyslogd
udp        0      0 0.0.0.0:42005           0.0.0.0:*                           5836/rsyslogd
udp        0      0 0.0.0.0:38190           0.0.0.0:*                           5836/rsyslogd
udp        0      0 0.0.0.0:34139           0.0.0.0:*                           5836/rsyslogd
udp6       0      0 :::514                  :::*                                5836/rsyslogd
unix  2      [ ]         DGRAM                    22952    1/init               /run/systemd/journal/syslog
unix  2      [ ]         DGRAM                    57903    5836/rsyslogd

 

 

 

root@my-syslogserv:~# netstat -anp | grep ruby
tcp        0      0 0.0.0.0:25325           0.0.0.0:*               LISTEN      5940/ruby
udp        0      0 127.0.0.1:25225         0.0.0.0:*                           5940/ruby
udp        0      0 127.0.0.1:25226         0.0.0.0:*                           5940/ruby

 

 

Only error while running the test script 

 

 

 

sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py <workspace-id>

 

 

 

Error: Could not locate 'omsagent' trying to validate by checking the process

 

 

 

0 Likes
Reply
gmecija

‎Aug 02 2021 07:36 PM

‎Aug 02 2021 07:36 PM

Re: CEF messages not parsed from remote host

@Mikado1080 Were you able to find a resolution to this issue? I'm experiencing the same.

0 Likes
Reply
Singh0007

‎Mar 21 2023 09:20 AM

‎Mar 21 2023 09:20 AM

Re: CEF messages not parsed from remote host

install the agent separately on CEF server and it will solve your problem
0 Likes
Reply