Mar 06 2022 02:29 PM - edited Mar 06 2022 02:59 PM
Hi all,
I have successfully configured the oms-agent and the Microsoft CEF python log forward script on a Ubuntu 20.04 x64 VM to forward Fortinet Analyzer logging to Sentinel. I receive the CEF logging in Sentinel. Most fields are mapped correctly. However, not all fields within the <message> are mapped, such as "ad.srccountry". This field is now in the AdditionalExtensions variable along with other data.
I want to have this variable in a separate field for log alerting purposes.
Problem:
Within CEF -> message -> AdditionalExtensions there is the ad.srccountry variable. I want the "ad.srccountry" variable mapped to 'cs1' (
DeviceCustomString1) in Sentinel. I got this idea from a list of all supported CEF message mapping field.
However, I cannot figure out how to configure this additional parse within the message field.
My configuration:
vi /etc/opt/microsoft/omsagent/<tenantID>/conf/omsagent.d/security_events.conf
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
<filter oms.security.**>
type filter_syslog_security
</filter>
Works (raw message and primary CEF filter): https://regex101.com/r/rdf4iP/1
vi /etc/opt/microsoft/omsagent/<tenantID>/conf/omsagent.d/syslog.conf
<source>
@type syslog
port 25224
bind 127.0.0.1
protocol_type tcp
tag oms.syslog
</source>
<filter oms.syslog.**>
@type parser
key_name message
format /.*ad.srccountry=(?<cs1>.*?)\s.*$/
</filter>
Raw message and secondary ad.srccountry filter: https://regex101.com/r/v6iZHs/1
systemctl restart omsagent-<TenantID>.service && systemctl restart syslog
But the DeviceCustomString1 (cs1) field in the CommonSecurityLog table from Sentinel stays empty:
Any tips or tricks how I can get this to work?
Thanks!
Mar 07 2022 07:59 AM
Mar 07 2022 08:08 AM - edited Mar 07 2022 08:10 AM
Thank you @Clive_Watson, but ideally I want to place the ad.srccountry variable in the cs1.
Configuring this at the syslog forwarder server side is much cleaner and easier to work with. Would you happen to know how to do this?
Mar 07 2022 08:20 AM
@skarol1337 Sorry I don't, hence my alternative method, hopefully someone else will know
Apr 12 2022 12:37 PM
Oct 18 2022 04:16 PM