Syslog Transformation DCR not working

Greg Sneed 20

I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records.

I have a few Syslog/CEF forwarders deployed on premises collecting logs and are receiving both CEF and Syslog data. I've followed this guide https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview?tabs=single#data-ingestion-duplication-avoidance but am still getting CEF data in both the CommonSecurityLog and Syslog tables.

My current Transformation DCR applied to the Syslog table:

source 
| where ProcessName !contains "CEF"

However, running the query below in Log Analytics Workspace (or Sentinel) produces results.

Syslog
| where ProcessName contains "CEF"

As stated above, when I run the transformation filter in the Syslog transformation wizard, it does filter the results as expected. But saving and applying the rule has no effect. The Transformation DCR has been in place for months so I don't think it's a timing issue.

Any help is appreciated!

AnuragSingh-MSFT 21,386 Reputation points

2024-05-30T04:34:41.4633333+00:00

@Greg Sneed, thank you for posting this question on Microsoft Q&A.

Based on the information shared in the question, could you please confirm that no other DCRs/source is configured to send logs to these tables in LA workspace. It might be possible that one of the DCR is configured fine, but there are potentially other DCRs which do not have the transformation query in place.

You could check the source (data sources) of DCR and also the source of logs in LA workspace to confirm that they match up.
Greg Sneed 20 Reputation points

2024-05-30T19:36:20.3433333+00:00
@AnuragSingh-MSFT I appreciate the quick reply!

I'm using Microsoft Sentinel on top of Log Analytics.

I have three DCR's in Azure Monitor:

Standard DCR to ingest Syslog (both Performance Counters and Syslog data)

Sentinel DCR to ingest CEF data

WorkspaceTransform DCR to filter out CEF data bound for the Syslog table (this is the one not working)
AnuragSingh-MSFT 21,386 Reputation points

2024-06-03T11:38:35.7866667+00:00

@Greg Sneed, thank you for the reply.

Couldit be possible that the first DCR (for collection of perf counters and Linux syslog) is also forwarding CEF data to the Syslog tables. Thus, while the 3rd DCR is blocking them, there is no transformation query blocking CEF on the first DCR?

In case adding the ingestion time transformation query on the first DCR does not help, I would suggest reaching out to Azure Support to have this environment reviewed along with the backend logs (if required).
Greg Sneed 20 Reputation points

2024-06-03T12:53:59.2+00:00

I think that is what's happening, but I also think that's what is supposed to happen. DCR #1 above is what applies to the syslog forwarder and tells it what logs to forward to Azure. DCR #3 applies in Azure to the Syslog table and filters what gets ingested into the Syslog table.

Please refer to the link in my original post. If I'm understanding it correctly, I should be able to prevent CEF data from hitting the Syslog table with DCR #3.
Greg Sneed 20 Reputation points

2024-06-04T13:55:16.8633333+00:00

@AnuragSingh-MSFT do you have any updates on this?
AnuragSingh-MSFT 21,386 Reputation points

2024-06-10T07:44:38.5366667+00:00
@Greg Sneed, thank you for the additional information and apologies for the delayed response.

A DCR in itself is a complete pipeline, i.e.,

It has configuration for the source about what needs to be collected (in this case the configuration for the syslog forwarder)

And it also contains transformation (query based) and destination (the destination LA workspace)

Also, note that the configuration of 1 DCR is independent of configuration set for another DCR.

Therefore, if indeed the first DCR is collecting syslog and CEF messages, the transformation query needs to be set on the first DCR and 3rd DCR will not even be required.

Hope this helps.
AnuragSingh-MSFT 21,386 Reputation points

2024-06-14T10:23:33.5133333+00:00

@Greg Sneed, Following-up to check if you had a chance to review the answer provided. If the answer did not help, please add more context/follow-up question for it.
Greg Sneed 20 Reputation points

2024-06-17T12:38:47.9666667+00:00

@AnuragSingh-MSFT I don't think the information you provided is correct. Please refer to the link I posted in my original post. I have 1 DCR for syslog data, and 1 DCR for CEF data. The other item is referred to as an "ingest time transformation" to filter out CEF messages from the Syslog stream. Therefore, I don't think the issue is conflicting DCRs.

If I have something wrong, can you please provide instructions on how to properly setup a single Linux appliance that can forward both Syslog and CEF data to Sentinel / LAW?
AnuragSingh-MSFT 21,386 Reputation points

2024-06-20T11:41:44.9366667+00:00
@Greg Sneed, thank you for the reply. You are right, the information I provided was only partially correct. The following are additional information available which should help clarify the confusion and resolve this issue:

As mentioned earlier, A DCR in itself is a complete pipeline which contains the source, data to collect and option to provide transformation query in itself. For example, consider the scenario of text log ingestion using DCR. In this case, the transformation is part of the same DCR which collects the logs from the machine.

However, for the Syslog DCR created the option to specify the transformation query is not available. In this case, the transformation query can be used on the table directly: For more details, please see Add a transformation to the table

In this case as well, the 3rd DCR is not required, as its configuration will not impact the data collection from the other 2 DCRs.

Hope this helps. Please let me know if you have any questions.
Greg Sneed 20 Reputation points

2024-06-20T14:06:03.18+00:00

@AnuragSingh-MSFT Thank you for the response. What you described is what I have in place. I have a transformation rule setup on the Syslog table. However, that transformation is NOT actually filtering logs. Again, please review my original post. In there I show that my transformation rule is set to filter out some records, but I still see those records in the table. So at this point, the transformation rule is setup based on Microsoft's documentation is not working correctly.
AnuragSingh-MSFT 21,386 Reputation points

2024-06-26T08:01:40.3666667+00:00

@Greg Sneed, following up to check if you had a chance to follow the steps suggested and if it helped.

Based on my discussion with the AMA/DCR team, the steps mentioned above are the options that we have in this scenario. The portal experience of Syslog DCR does not allow for adding the Transform query at the moment, hence ARM templates can be utilized. We are also working on updating the docs with these steps. Apologies for the inconvenience related to this issue.
Greg Sneed 20 Reputation points

2024-06-26T11:56:46.23+00:00

@AnuragSingh-MSFT thank you for the update. That seems to have fixed the issue! Thank you very much for your assistance!
AnuragSingh-MSFT 21,386 Reputation points

2024-06-27T04:11:05.89+00:00

@Greg Sneed , thank you for the confirmation. I am glad that I was able to help you out.

Please click Accept answer so that it can help others in the community looking for help on similar topics.

Accepted answer

AnuragSingh-MSFT 21,386 Reputation points

2024-06-21T04:46:06.0766667+00:00
@Greg Sneed, thank you very much for the reply and apologies that this is taking a while to narrow down/resolve.

I reviewed the scenario, discussion so far and consulted my colleagues in this domain. There is an alternative suggestion to specify the transformation query in the DCR itself. Please check the "DataFlow" details for DCR template

For Syslog DCR, this option is not enabled when creating the DCR from UI. As an alternative, could you please follow the steps below and hopefully this should help:

Locate the DCR in Azure Portal which collects both Syslog and CEF message, i.e., the DCR where the filter needs to be applied.

Go to "Export template" option as shown below and click "Deploy"

On the next step, click "Edit template". Do not modify the name, resource group, region etc. on this page.

Add the transformKql query in the "dataFlows" of this template as shown below:

Click on "Save" and "Review + Create"

The steps above do not create a new DCR (unless you have modified the core properties - name, rg, region etc.) and update the existing DCR to include the TransformKql query.

Hope this helps. Please let me know if you have any questions.

I have also reached out to the respective teams owning this doc to ensure that it gets updated with clear instructions to avoid confusion.
Please sign in to rate this answer.
Suleman Kadiri 0 Reputation points

2024-10-01T12:00:08.6266667+00:00

Hello, I get the following error: "Code": "InvalidTransformQuery", "target": "properties.dataFlows[0]", "message": "Error occurred while compiling query: SemanticError:0x00000006 at 1:73: Undefined symbol: AdditionalExtensions" when trying to add the filter KQL query with AdditionalExtensions being the column I am trying to filter on.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Syslog Transformation DCR not working

0 additional answers

Your answer