25,159 questions
Have you enabled the Syslog data connector in Sentinel? Are you using MMA or AMA? https://learn.microsoft.com/en-gb/azure/azure-monitor/agents/data-sources-syslog
Microsoft Sentinel Integration with syslog server
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 13%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBT%3C/text%3E%3C/svg%3E)
Bhagyesh Telang
1
Reputation point
I have been trying to connect a solution to syslog server and then to sentinel.
SOC solution --> Syslog Server --> Microsoft Sentinel
I have been getting the logs in Syslog server from port 6515 from the SOC solution(Log format RFC 5424), I have set the soc solution and syslog server with TLS certificates, and I am able to see the soc logs in my syslog server, But those logs are not getting forwarded to Sentinel,although the MOCK messages sent by cef_troubleshoot.py are visible in Sentinel, what could be the possible cause of this? The regex format given in security_events_config.conf file is not applicable for my logs. Kindly assist.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
2 answers
Sort by: Most helpful
-
Clive Watson 7,866 Reputation points MVP Volunteer Moderator2023-01-30T14:43:59.6+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 9%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKW%3C/text%3E%3C/svg%3E)
Kristian Ward 0 Reputation points2024-02-05T10:51:57.7266667+00:00 If you're using the legacy MMA or LAA then you will need to go to the Log Analytics Wokspace, under Legacy Agent Management and check that the facilities that the logs are coming in on are being collected for the correct severity. If you're using rhe AMA agent you will need to check that your DCR is set to receive the facilities on thre correct severity. This will most likely be the source of your issue; if not, there may be an issue with the formatting of the syslog message.
-
Kristian Ward 0 Reputation points
2024-02-05T10:54:43.36+00:00 It also sounds like you're accepting the messages using CEF formatting, if this is the case, the events could be going through to the CommonSecurityLog table, make sure if you're planning on using this, that you've installed the CEF forwarder relevant to the agent you're using.
Sign in to comment -