Skip to main content

Search

Sending alerts to Microsoft Sentinel with syslog

  • Updated

 

Description: Sentinel supports ingesting RFC 5424 syslog messages from external sources through the use of a Log forwarder. Microsoft's documentation on the deployment is available here.

This guide assumes you have a Linux VM running within your Azure environment with Microsoft's prerequisites here. As well as have the CEF collector agent installed here.

In summary, to start off this guide you'll need:

  • Microsoft Sentinel added to a workspace.
  • A Linux VM setup with the CEF forwarder agent installed and forwarding logs.
  • Port 514 opened on the log forwarder VM security group.

Step 1: Console Configuration

Contact Support@canary.tools to have your Log forwarder configured onto your Console.

We'll need the following details of the setup:

Hostname / IP

Port (514 Default)

Protocol (TCP/UDP)

TLS Certificate (Optional but recommended.)

 

Once configured, details are available in the Global Settings -> Syslog menu on your Canary Console.

 

Note: Syslog message transport can be tested by sending a couple test messages to your forwarder. Head over to the "Syslog" menu option, type a number in "Send N Test Messages", then press "Test".

mceclip1.png

Establish a SSH shell on your forwarder and listen for the messages with the below command.

sudo tcpdump -A -ni any port 514 -vv

Step 2: Data Connector Configuration

Once you've confirmed messages are arriving from your Canary Console to your log forwarder, we'll now configure the logs to be forwarded to your Sentinel instance.

Head over to your Sentinel instance within the Azure portal, select the Data connectors slide out menu then filter for the Syslog connector.

Select Open connector page.

mceclip3.png

Select the Open your workspace agents configuration to setup the logging facilities required to get syslog messages into Sentinel logs.

mceclip4.png

Select the Syslog tab then Add facility, finally select the local0 line item and ensure the Critical checkbox is selected.

Apply the changes once complete.

This ensures your agent is forwarding your Console syslog messages into Sentinel's logging.

mceclip6.png

Step 3: Checking logs

Console logs can be queried by heading over to your Sentinel instance, then selecting the "Logs" slide out menu.

Selecting LogManagement, then Syslog, allows you to check all incoming raw syslog messages.

mceclip7.png

You're done! ;-)

Was this article helpful?
2 out of 2 found this helpful
Return to top