Description: Sentinel supports ingesting RFC 5424 syslog messages from external sources through the use of a Log forwarder. Microsoft's documentation on the deployment is available here.
This guide assumes you have a Linux VM running within your Azure environment with Microsoft's prerequisites here. As well as have the CEF collector agent installed here.
In summary, to start off this guide you'll need:
- Microsoft Sentinel added to a workspace.
- A Linux VM setup with the CEF forwarder agent installed and forwarding logs.
- Port 514 opened on the log forwarder VM security group.
Step 1: Console Configuration
Contact Support@canary.tools to have your Log forwarder configured onto your Console.
We'll need the following details of the setup:
Hostname / IP
Port (514 Default)
TLS Certificate (Optional but recommended.)
Once configured, details are available in the Global Settings -> Syslog menu on your Canary Console.
Note: Syslog message transport can be tested by sending a couple test messages to your forwarder. Head over to the "Syslog" menu option, type a number in "Send N Test Messages", then press "Test".
Establish a SSH shell on your forwarder and listen for the messages with the below command.
sudo tcpdump -A -ni any port 514 -vv
Step 2: Data Connector Configuration
Once you've confirmed messages are arriving from your Canary Console to your log forwarder, we'll now configure the logs to be forwarded to your Sentinel instance.
Head over to your Sentinel instance within the Azure portal, select the Data connectors slide out menu then filter for the Syslog connector.
Select Open connector page.
Select the Open your workspace agents configuration to setup the logging facilities required to get syslog messages into Sentinel logs.
Select the Syslog tab then Add facility, finally select the local0 line item and ensure the Critical checkbox is selected.
Apply the changes once complete.
This ensures your agent is forwarding your Console syslog messages into Sentinel's logging.
Step 3: Checking logs
Console logs can be queried by heading over to your Sentinel instance, then selecting the "Logs" slide out menu.
Selecting LogManagement, then Syslog, allows you to check all incoming raw syslog messages.