Description: Sentinel supports ingesting RFC 5424 syslog messages from external sources through the use of the Azure Monitor Agent (AMA). Microsoft's documentation on the deployment is available here.
This guide assumes you have a Linux VM running within your Azure environment with Microsoft's prerequisites here.
In summary, to start off this guide you'll need:
- Microsoft Sentinel added to a workspace.
- A Linux VM setup with the AMA installed and forwarding logs.
- Port 514 (or your custom one) opened on the log forwarder VM security group.
- Optional - TLS can be setup based on your preferred syslog daemon:
Step 1: Data Connector Configuration
Head over to your Azure Sentinel deployment, then Data connectors, and finally Content hub.
Search for "Syslog via AMA" to reveal the Syslog data connector, then install the package if not installed already.
With the Syslog via AMA data connector installed, head over to your Sentinel instances Data connectors page, then open the connector page for Syslog via AMA.
Select Create data collection rule
Name your DCR.
Select your Log forwarding VM.
Select your minimum log collection level. By default we send local0.crit tagged messages.
Validate and create your DCR.
With the DCR created and installed, grab and run the installation script on your syslog forwarder VM.
Step 2: Validate Data Flow
Confirm your syslog daemon is listening on your port of choice.
Send a test RFC5424 message:
echo -n "<10>1 $(date -u +"%Y-%m-%dT%H:%M:%S.%NZ") localhost canary 1234 - Hello World Chirp Chirp!" | nc -u -w0 localhost 514
Step 3: Console Configuration
Contact Support@canary.tools to have your Log forwarder configured onto your Console.
We'll need the following details of the setup:
Hostname / IP
Port (514 Default)
Protocol (TCP/UDP)
TLS Certificate (Optional but recommended.)
Once configured, details are available in the Global Settings -> Syslog menu on your Canary Console.
Note: Syslog message transport can be tested by sending a couple test messages to your forwarder. Head over to the "Syslog" menu option, type a number in "Send N Test Messages", then press "Test".
Step 4: Checking logs
Console logs can be queried by heading over to your Sentinel instance, then selecting the "Logs" slide out menu.
Selecting LogManagement, then Syslog, allows you to check all incoming raw syslog messages.
Logs can also be easily found using the below query.
Syslog
| where ProcessName == "ThinkstCanary"
You can also parse your syslog messages using the below KQL query.
Syslog
| where ProcessName == "ThinkstCanary"
| parse SyslogMessage with * 'Description="' Description '"' * 'Timestamp="' Timestamp '"' * 'CanaryName="' CanaryName '"' * 'CanaryID="' CanaryID '"' * 'CanaryIP="' CanaryIP '"' * 'Flock="' Flock '"' * 'SourceIP="' SourceIP '"' * 'CanaryLocation="' CanaryLocation '"' * 'ReverseDNS="' ReverseDNS '"' * 'eventid="' eventid '"' * 'Settings="' Settings '"' * 'BackgroundContext="' BackgroundContext '"' *
| extend Description = extract("Description=\"([^\"]+)\"", 1, SyslogMessage)
| extend Timestamp = extract("Timestamp=\"([^\"]+)\"", 1, SyslogMessage)
| extend CanaryName = extract("CanaryName=\"([^\"]+)\"", 1, SyslogMessage)
| extend CanaryID = extract("CanaryID=\"([^\"]+)\"", 1, SyslogMessage)
| extend CanaryIP = extract("CanaryIP=\"([^\"]+)\"", 1, SyslogMessage)
| extend Flock = extract("Flock=\"([^\"]+)\"", 1, SyslogMessage)
| extend SourceIP = extract("SourceIP=\"([^\"]+)\"", 1, SyslogMessage)
| extend CanaryLocation = extract("CanaryLocation=\"([^\"]+)\"", 1, SyslogMessage)
| extend ReverseDNS = extract("ReverseDNS=\"([^\"]+)\"", 1, SyslogMessage)
| extend eventid = extract("eventid=\"([^\"]+)\"", 1, SyslogMessage)
| extend Settings = extract("Settings=\"([^\"]+)\"", 1, SyslogMessage)
| extend BackgroundContext = extract("BackgroundContext=\"([^\"]+)\"", 1, SyslogMessage)