Sentinel SL license keys use a fingerprint collected from the computer to prevent unauthorized copying. To be able to transfer a Sentinel SL license key to a new computer we need to provide a fingerprint of the new computer to the license manager on the old computer.
-->Important
Azure Sentinel is currently in public preview.This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
You can connect Azure Sentinel with an external solution that enables you to save log files in Syslog. If your appliance enables you to save logs as Syslog Common Event Format (CEF), the integration with Azure Sentinel enables you to easily run analytics and queries across the data.
Note
Data is stored in the geographic location of the workspace on which you are running Azure Sentinel.
How it works
The connection between Azure Sentinel and your CEF appliance takes place in three steps:
- On the appliance you need to set these values so that the appliance sends the necessary logs in the necessary format to the Azure Sentinel Syslog agent. You can modify these parameters in your appliance, as long as you also modify them in the Syslog daemon on the Azure Sentinel agent.
- Protocol = UDP
- Port = 514
- Facility = Local-4
- Format = CEF
- The Syslog agent collects the data and sends it securely to Log Analytics, where it is parsed and enriched.
- The agent stores the data in a Log Analytics workspace so it can be queried as needed, using analytics, correlation rules, and dashboards.
Note
The agent can collect logs from multiple sources, but must be installed on dedicated proxy machine.
Step 1: Connect to your CEF appliance via dedicated Azure VM
You need to deploy an agent on a dedicated Linux machine (VM or on premises) to support the communication between the appliance and Azure Sentinel. You can deploy the agent automatically or manually. Automatic deployment is based on Resource Manager templates and can be used only if your dedicated Linux machine is a new VM you are creating in Azure.
Alternatively, you can deploy the agent manually on an existing Azure VM, on a VM in another cloud, or on an on-premises machine.
Deploy the agent in Azure
In the Azure Sentinel portal, click Data connectors and select your appliance type.
Under Linux Syslog agent configuration:
- Choose Automatic deployment if you want to create a new machine that is pre-installed with the Azure Sentinel agent, and includes all the configuration necessary, as described above. Select Automatic deployment and click Automatic agent deployment. This takes you to the purchase page for a dedicated Linux VM that is automatically connected to your workspace. The VM is a standard D2s v3 (2 vCPUs, 8 GB memory) and has a public IP address.
- In the Custom deployment page, provide your details and choose a username and a password and if you agree to the terms and conditions, purchase the VM.
- Configure your appliance to send logs using the settings listed in the connection page. For the Generic Common Event Format connector, use these settings:
- Protocol = UDP
- Port = 514
- Facility = Local-4
- Format = CEF
- Choose Manual deployment if you want to use an existing VM as the dedicated Linux machine onto which the Azure Sentinel agent should be installed.
- Under Download and install the Syslog agent, select Azure Linux virtual machine.
- In the Virtual machines screen that opens, select the machine you want to use and click Connect.
- In the connector screen, under Configure and forward Syslog, set whether your Syslog daemon is rsyslog.d or syslog-ng.
- Copy these commands and run them on your appliance:
If you selected rsyslog.d:
Tell the Syslog daemon to listen on facility local_4 and to send the Syslog messages to the Azure Sentinel agent using port 25226.
sudo bash -c 'printf 'local4.debug @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf'
Download and install the security_events config file that configures the Syslog agent to listen on port 25226.
sudo wget -O /etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf 'https://aka.ms/syslog-config-file-linux'
Where {0} should be replaced with your workspace GUID.Restart the syslog daemon
sudo service rsyslog restart
For more information see the rsyslog documentation
If you selected syslog-ng:
Tell the Syslog daemon to listen on facility local_4 and to send the Syslog messages to the Azure Sentinel agent using port 25226.
sudo bash -c 'printf 'filter f_local4_oms { facility(local4); };n destination security_oms { tcp('127.0.0.1' port(25226)); };n log { source(src); filter(f_local4_oms); destination(security_oms); };' > /etc/syslog-ng/security-config-omsagent.conf'
Download and install the security_events config file that configures the Syslog agent to listen on port 25226.
sudo wget -O /etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf 'https://aka.ms/syslog-config-file-linux'
Where {0} should be replaced with your workspace GUID.Restart the syslog daemon
sudo service syslog-ng restart
For more information, see the syslog-ng documentation
- Restart the Syslog agent using this command:
sudo /opt/microsoft/omsagent/bin/service_control restart [{workspace GUID}]
- Confirm that there are no errors in the agent log by running this command:
tail /var/opt/microsoft/omsagent/log/omsagent.log
- Choose Automatic deployment if you want to create a new machine that is pre-installed with the Azure Sentinel agent, and includes all the configuration necessary, as described above. Select Automatic deployment and click Automatic agent deployment. This takes you to the purchase page for a dedicated Linux VM that is automatically connected to your workspace. The VM is a standard D2s v3 (2 vCPUs, 8 GB memory) and has a public IP address.
To use the relevant schema in Log Analytics for the CEF events, search for CommonSecurityLog
.
Deploy the agent on an on premises Linux server
If you aren't using Azure, manually deploy the Azure Sentinel agent to run on a dedicated Linux server.
- In the Azure Sentinel portal, click Data connectors and select your appliance type.
- To create a dedicated Linux VM, under Linux Syslog agent configuration choose Manual deployment.
- Under Download and install the Syslog agent, select Non-Azure Linux machine.
- In the Direct agent screen that opens, select Agent for Linux to download the agent or run this command to download it on your Linux machine:
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w {workspace GUID} -s gehIk/GvZHJmqlgewMsIcth8H6VqXLM9YXEpu0BymnZEJb6mEjZzCHhZgCx5jrMB1pVjRCMhn+XTQgDTU3DVtQ -d opinsights.azure.com
- In the connector screen, under Configure and forward Syslog, set whether your Syslog daemon is rsyslog.d or syslog-ng.
- Copy these commands and run them on your appliance:
- If you selected rsyslog:
Tell the Syslog daemon to listen on facility local_4 and to send the Syslog messages to the Azure Sentinel agent using port 25226.
sudo bash -c 'printf 'local4.debug @127.0.0.1:25226' > /etc/rsyslog.d/security-config-omsagent.conf'
Download and install the security_events config file that configures the Syslog agent to listen on port 25226.
sudo wget -O /etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf 'https://aka.ms/syslog-config-file-linux'
Where {0} should be replaced with your workspace GUID.Restart the syslog daemon
sudo service rsyslog restart
- If you selected syslog-ng:
- Tell the Syslog daemon to listen on facility local_4 and to send the Syslog messages to the Azure Sentinel agent using port 25226.
sudo bash -c 'printf 'filter f_local4_oms { facility(local4); };n destination security_oms { tcp('127.0.0.1' port(25226)); };n log { source(src); filter(f_local4_oms); destination(security_oms); };' > /etc/syslog-ng/security-config-omsagent.conf'
- Download and install the security_events config file that configures the Syslog agent to listen on port 25226.
sudo wget -O /etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf 'https://aka.ms/syslog-config-file-linux'
Where {0} should be replaced with your workspace GUID. - Restart the syslog daemon
sudo service syslog-ng restart
- Tell the Syslog daemon to listen on facility local_4 and to send the Syslog messages to the Azure Sentinel agent using port 25226.
- If you selected rsyslog:
- Restart the Syslog agent using this command:
sudo /opt/microsoft/omsagent/bin/service_control restart [{workspace GUID}]
- Confirm that there are no errors in the agent log by running this command:
tail /var/opt/microsoft/omsagent/log/omsagent.log
To use the relevant schema in Log Analytics for the CEF events, search for CommonSecurityLog
.
Step 2: Forward Common Event Format (CEF) logs to Syslog agent
Set your security solution to send Syslog messages in CEF format to your Syslog agent. Make sure you use the same parameters that appear in your agent configuration. These are usually:
- Port 514
- Facility local4
Step 3: Validate connectivity
It may take upwards of 20 minutes until your logs start to appear in Log Analytics.
Make sure you use the right facility. The facility must be the same in your appliance and in Azure Sentinel. You can check which facility file you're using in Azure Sentinel and modify it in the file
security-config-omsagent.conf
.Make sure that your logs are getting to the right port in the Syslog agent. Run this command on the Syslog agent machine:
tcpdump -A -ni any port 514 -vv
This command shows you the logs that streams from the device to the Syslog machine. Make sure that logs are being received from the source appliance on the right port and right facility.Make sure that the logs you send comply with RFC 5424.
On the computer running the Syslog agent, make sure these ports 514, 25226 are open and listening, using the command
netstat -a -n:
. For more information about using this command see netstat(8) - Linux man page. If it’s listening properly, you’ll see this:Make sure the daemon is set to listen on port 514, on which you’re sending the logs.
For rsyslog:
Make sure that the file/etc/rsyslog.conf
includes this configuration:For more information, see imudp: UDP Syslog Input Module and imtcp: TCP Syslog Input Module
For syslog-ng:
Make sure that the file/etc/syslog-ng/syslog-ng.conf
includes this configuration:For more information, see [imudp: UDP Syslog Input Module](For more information, see the syslog-ng Open Source Edition 3.16 - Administration Guide.
Check that there is communication between the Syslog daemon and the agent. Run this command on the Syslog agent machine:
tcpdump -A -ni any port 25226 -vv
This command shows you the logs that streams from the device to the Syslog machine.Make sure that the logs are also being received on the agent.If both of those commands provided successful results, check Log Analytics to see if your logs are arriving. All events streamed from these appliances appear in raw form in Log Analytics under
CommonSecurityLog
type.To check if there are errors or if the logs aren't arriving, look in
tail /var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log
. If it says there are log format mismatch errors, go to/etc/opt/microsoft/omsagent/{0}/conf/omsagent.d/security_events.conf 'https://aka.ms/syslog-config-file-linux'
and look at the filesecurity_events.conf
and make sure that your logs match the regex format you see in this file.Make sure that your Syslog message default size is limited to 2048 bytes (2KB). If logs are too long, update the security_events.conf using this command:
message_length_limit 4096
Next steps
In this document, you learned how to connect CEF appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.