Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Syslog host IP issues

Copper Contributor

Has anybody run into an issue within syslogs where IP addresses are showing up in the SyslogMessage column, but not in the the HostIP column? I am seeing ssh attempts from IP's but the originating IP is in the SysLogMessage description while HostIP shows unknown or 127.0.0.1. I believe this could also be what is causing my potentially malicious event map to show "No Data Was Found". 

 

Any help would be greatly appreciated!

2 Replies

Hi 

Is this syslog from a local machine with the agent?  Or syslog CEF where a message is being sent via CEF to a machine with the agent?

 

Either way, could you share the source message format?  and a screen capture of the data in the Azure Sentinel workspace?

I have the same issues, one linux machine proxy and another linux rsyslog that send log to proxy, log appears correctly in sentinel but, hostip says unknownip
Anyone help me ?
Many Thanks,
Guido