Skip to main content

Search

Sending alerts to Microsoft Sentinel with syslog

Description: Sentinel supports ingesting RFC 5424 syslog messages from external sources through the use of the Azure Monitor Agent (AMA). Microsoft's documentation on the deployment is available here.

This guide assumes you have a Linux VM running within your Azure environment with Microsoft's prerequisites here.

In summary, to start off this guide you'll need:

  • Microsoft Sentinel added to a workspace.
  • A Linux VM setup with the AMA installed and forwarding logs.
  • Port 514 (or your custom one) opened on the log forwarder VM security group.
  • Optional - TLS can be setup based on your preferred syslog daemon:

5424-forwarder-diagram.png

Step 1: Data Connector Configuration

Head over to your Azure Sentinel deployment, then Data connectors, and finally Content hub.

Search for "Syslog via AMA" to reveal the Syslog data connector, then install the package if not installed already.

With the Syslog via AMA data connector installed, head over to your Sentinel instances Data connectors page, then open the connector page for Syslog via AMA.

Select Create data collection rule

Name your DCR.

Select your Log forwarding VM.

Select your minimum log collection level. By default we send local0.crit tagged messages.

Validate and create your DCR.

With the DCR created and installed, grab and run the installation script on your syslog forwarder VM.

Step 2: Validate Data Flow

Confirm your syslog daemon is listening on your port of choice. 

Send a test RFC5424 message:

echo -n "<10>1 $(date -u +"%Y-%m-%dT%H:%M:%S.%NZ") localhost canary 1234 - Hello World Chirp Chirp!" | nc -u -w0 localhost 514

Step 3: Console Configuration

Contact Support@canary.tools to have your Log forwarder configured onto your Console.

We'll need the following details of the setup:

Hostname / IP

Port (514 Default)

Protocol (TCP/UDP)

TLS Certificate (Optional but recommended.)

Once configured, details are available in the Global Settings -> Syslog menu on your Canary Console.

Note: Syslog message transport can be tested by sending a couple test messages to your forwarder. Head over to the "Syslog" menu option, type a number in "Send N Test Messages", then press "Test".

mceclip1.png

Step 4: Checking logs

Console logs can be queried by heading over to your Sentinel instance, then selecting the "Logs" slide out menu.

Selecting LogManagement, then Syslog, allows you to check all incoming raw syslog messages.

Logs can also be easily found using the below query.

Syslog 
| where ProcessName == "ThinkstCanary"

You're done! ;-)

Was this article helpful?
2 out of 2 found this helpful
Return to top