Редактиране

Споделяне чрез


Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion

Log collection from many security appliances and devices are supported by the Syslog via AMA data connector in Microsoft Sentinel. This article lists provider supplied installation instructions for specific security appliances and devices that use this data connector. Contact the provider for updates, more information, or where information is unavailable for your security appliance or device.

To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. As you complete those steps, install the Syslog via AMA data connector in Microsoft Sentinel. Then, use the appropriate provider's instructions in this article to complete the setup.

For more information about the related Microsoft Sentinel solution for each of these appliances or devices, search the Azure Marketplace for the Product Type > Solution Templates or review the solution from the Content hub in Microsoft Sentinel.

Barracuda CloudGen Firewall

Follow instructions to configure syslog streaming. Use the IP address or hostname for the Linux machine with the Microsoft Sentinel agent installed for the Destination IP address.

Blackberry CylancePROTECT

Follow these instructions to configure the CylancePROTECT to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Cisco Application Centric Infrastructure (ACI)

Configure Cisco ACI system to send logs via syslog to the remote server where you install the agent. Follow these steps to configure Syslog Destination, Destination Group, and Syslog Source.

This data connector was developed using Cisco ACI Release 1.x.

Cisco Identity Services Engine (ISE)

Follow these instructions to configure remote syslog collection locations in your Cisco ISE deployment.

Cisco Stealthwatch

Complete the following configuration steps to get Cisco Stealthwatch logs into Microsoft Sentinel.

  1. Sign in to the Stealthwatch Management Console (SMC) as an administrator.

  2. In the menu bar, select Configuration > Response Management.

  3. From the Actions section in the Response Management menu, select Add > Syslog Message.

  4. In the Add Syslog Message Action window, configure parameters.

  5. Enter the following custom format:

    |Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}

  6. Select the custom format from the list and OK.

  7. Select Response Management > Rules.

  8. Select Add and Host Alarm.

  9. Provide a rule name in the Name field.

  10. Create rules by selecting values from the Type and Options menus. To add more rules, select the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.

This data connector was developed using Cisco Stealthwatch version 7.3.2

Cisco Unified Computing Systems (UCS)

Follow these instructions to configure the Cisco UCS to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line.

To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias CiscoUCS. Alternatively, directly load the function code. It might take about 15-minutes post-installation to update.

Cisco Web Security Appliance (WSA)

Configure Cisco to forward logs via syslog to the remote server where you install the agent. Follow these steps to configure Cisco WSA to forward logs via Syslog

Select Syslog Push as a Retrieval Method.

This data connector was developed using AsyncOS 14.0 for Cisco Web Security Appliance

Citrix Application Delivery Controller (ADC)

Configure Citrix ADC (former NetScaler) to forward logs via Syslog.

  1. Navigate to Configuration tab > System > Auditing > Syslog > Servers tab
  2. Specify Syslog action name.
  3. Set IP address of remote Syslog server and port.
  4. Set Transport type as TCP or UDP depending on your remote syslog server configuration.
  5. For more information, see the Citrix ADC (former NetScaler) documentation.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation. To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias CitrixADCEvent. Alternatively, you can directly load the function code. It might take about 15 minutes post-installation to update.

This parser requires a watchlist named Sources_by_SourceType.

i. If you don't have watchlist already created, create a watchlist from Microsoft Sentinel in the Azure portal.

ii. Open watchlist Sources_by_SourceType and add entries for this data source.

ii. The SourceType value for CitrixADC is CitrixADC. For more information, see Manage Advanced Security Information Model (ASIM) parsers.

Digital Guardian Data Loss Prevention

Complete the following steps to configure Digital Guardian to forward logs via Syslog:

  1. Sign in to the Digital Guardian Management Console.
  2. Select Workspace > Data Export > Create Export.
  3. From the Data Sources list, select Alerts or Events as the data source.
  4. From the Export type list, select Syslog.
  5. From the Type list, select UDP, or TCP as the transport protocol.
  6. In the Server field, type the IP address of your remote syslog server.
  7. In the Port field, type 514 (or other port if your syslog server was configured to use nondefault port).
  8. From the Severity Level list, select a severity level.
  9. Select the Is Active check box.
  10. Select Next.
  11. From the list of available fields, add Alert or Event fields for your data export.
  12. Select a Criteria for the fields in your data export and Next.
  13. Select a group for the criteria and Next.
  14. Select Test Query.
  15. Select Next.
  16. Save the data export.

ESET Protect integration

Configure ESET PROTECT to send all events through Syslog.

  1. Follow these instructions to configure syslog output. Make sure to select BSD as the format and TCP as the transport.
  2. Follow these instructions to export all logs to syslog. Select JSON as the output format.

Exabeam Advanced Analytics

Follow these instructions to send Exabeam Advanced Analytics activity log data via syslog.

This data connector was developed using Exabeam Advanced Analytics i54 (Syslog)

Forescout

Complete the following steps to get Forescout logs into Microsoft Sentinel.

  1. Select an Appliance to Configure.
  2. Follow these instructions to forward alerts from the Forescout platform to a syslog server.
  3. Configure the settings in the Syslog Triggers tab.

This data connector was developed using Forescout Syslog Plugin version: v3.6

Gitlab

Follow these instructions to send Gitlab audit log data via syslog.

ISC Bind

  1. Follow these instructions to configure the ISC Bind to forward syslog: DNS Logs.
  2. Configure syslog to send the syslog traffic to the agent. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Infoblox Network Identity Operating System (NIOS)

Follow these instructions to enable syslog forwarding of Infoblox NIOS Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias Infoblox. Alternatively, you can directly load the function code. It might take about 15 minutes post-installation to update.

This parser requires a watchlist named Sources_by_SourceType.

i. If you don't have watchlist already created, create a watchlist from Microsoft Sentinel in the Azure portal.

ii. Open watchlist Sources_by_SourceType and add entries for this data source.

ii. The SourceType value for InfobloxNIOS is InfobloxNIOS.

For more information, see Manage Advanced Security Information Model (ASIM) parsers.

Ivanti Unified Endpoint Management

Follow the instructions to set up Alert Actions to send logs to syslog server.

This data connector was developed using Ivanti Unified Endpoint Management Release 2021.1 Version 11.0.3.374

Juniper SRX

  1. Complete the following instructions to configure the Juniper SRX to forward syslog:

  2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

McAfee Network Security Platform

Complete the following configuration steps to get McAfee® Network Security Platform logs into Microsoft Sentinel.

  1. Forward alerts from the manager to a syslog server.

  2. You must add a syslog notification profile. While creating profile, to make sure that events are formatted correctly, enter the following text in the Message text box:

    <SyslogAlertForwarderNSP>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID |ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE |SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|SUB_CATEGORY |DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|

This data connector was developed using McAfee® Network Security Platform version: 10.1.x.

McAfee ePolicy Orchestrator

Contact the provider for guidance on how to register a syslog server.

Microsoft Sysmon For Linux

This data connector depends on ASIM parsers based on a Kusto Functions to work as expected. Deploy the parsers.

The following functions are deployed:

  • vimFileEventLinuxSysmonFileCreated, vimFileEventLinuxSysmonFileDeleted
  • vimProcessCreateLinuxSysmon, vimProcessTerminateLinuxSysmon
  • vimNetworkSessionLinuxSysmon

Read more

Nasuni

Follow the instructions in the Nasuni Management Console Guide to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.

OpenVPN

Install the agent on the Server where the OpenVPN are forwarded. OpenVPN server logs are written into common syslog file (depending on the Linux distribution used: e.g. /var/log/messages).

Oracle Database Audit

Complete the following steps.

  1. Create the Oracle database Follow these steps.
  2. Sign in to the Oracle database you created. Follow these steps.
  3. Enable unified logging over syslog by Alter the system to enable unified logging Following these steps.
  4. Create and enable an Audit policy for unified auditing Follow these steps.
  5. Enabling syslog and Event Viewer Captures for the Unified Audit Trail Follow these steps.

Pulse Connect Secure

Follow the instructions to enable syslog streaming of Pulse Connect Secure logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line.

To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias PulseConnectSecure. Alternatively, directly load the function code. It might take about 15 minutes post-installation to update.

RSA SecurID

Complete the following steps to get RSA® SecurID Authentication Manager logs into Microsoft Sentinel. Follow these instructions to forward alerts from the Manager to a syslog server.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line.

To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias RSASecurIDAMEvent. Alternatively, you can directly load the function code. It might take about 15 minutes post-installation to update.

This data connector was developed using RSA SecurID Authentication Manager version: 8.4 and 8.5

Sophos XG Firewall

Follow these instructions to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line. To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias SophosXGFirewall. Alternatively, directly load the function code. It might take about 15 minutes post-installation to update.

Symantec Endpoint Protection

Follow these instructions to configure the Symantec Endpoint Protection to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line. To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias SymantecEndpointProtection. Alternatively, you can directly load the function code. It might take about 15 minutes post-installation to update.

Symantec ProxySG

  1. Sign in to the Blue Coat Management Console.

  2. Select Configuration > Access Logging > Formats.

  3. Select New.

  4. Enter a unique name in the Format Name field.

  5. Select the radio button for Custom format string and paste the following string into the field.

    1 $(date) $(time) $(time-taken) $(c-ip) $(cs-userdn) $(cs-auth-groups) $(x-exception-id) $(sc-filter-result) $(cs-categories) $(quot)$(cs(Referer))$(quot) $(sc-status) $(s-action) $(cs-method) $(quot)$(rs(Content-Type))$(quot) $(cs-uri-scheme) $(cs-host) $(cs-uri-port) $(cs-uri-path) $(cs-uri-query) $(cs-uri-extension) $(quot)$(cs(User-Agent))$(quot) $(s-ip) $(sr-bytes) $(rs-bytes) $(x-virus-id) $(x-bluecoat-application-name) $(x-bluecoat-application-operation) $(cs-uri-port) $(x-cs-client-ip-country) $(cs-threat-risk)

  6. Select OK.

  7. Select Applyn.

  8. Follow these instructions to enable syslog streaming of Access logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line.

To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias SymantecProxySG. Alternatively, directly load the function code. It might take about 15 minutes post-installation to update.

Symantec VIP

Follow these instructions to configure the Symantec VIP Enterprise Gateway to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line.

To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias SymantecVIP. Alternatively, directly load the function code. It might take about 15 minutes post-installation to update.

VMware ESXi

  1. Follow these instructions to configure the VMware ESXi to forward syslog:

  2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

Note

The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

Update the parser and specify the hostname of the source machines transmitting the logs in the parser's first line.

To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias VMwareESXi. Alternatively, directly load the function code. It might take about 15 minutes post-installation to update.

WatchGuard Firebox

Follow these instructions to send WatchGuard Firebox log data via syslog.