This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 81%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
Hello,
We are using the Log Forwarder solution to send CEF logs (through syslog) from on premises to Azure log analytics (used by Sentinel).
This is working fine.
The problem is, we have to add a new Log Forwarder server with a LodBalancer solution. We used HAProxy, but it doesn't work: we are receiving syslog messages and not the CEF messages.
Do you know which solution/configuration shall I use to have the Log Forwarder working with a Load Balancer solution (HAProxy or another one)?
Thanks for your help
@zied
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@zied Thank you for reaching out to us. Researched on this query, I suspect that the challenge is that due to the HAproxy configuration, the events are not received by RSyslog on the agent in the original format. I suspect that configuration changes to HAproxy, or tweaking the RSyslog configuration would help or you can use a Nginx server as the load balancer to distribute the messages between servers.
Let me know if you have any further questions.
@zied
Thank you for your post!
I understand that you're using a log forwarder to ingest Syslogs and CEF logs to Microsoft Sentinel from on-prem, and everything was working as expected. However, since you added a new Log Forwarder and integrated a new Load Balancer solution - HAProxy, you're receiving the Syslogs but not the CEF messages.
Additional Links:
Network topology and connectivity for Azure Arc-enabled servers
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@zied
Thank you for your time and patience throughout this issue!
Adding onto my original post, you can also look into installing our Log Analytics Agent on your Windows (or Linux) servers, and then leveraging the Log Analytics Gateway in Azure Monitor to connect computers without internet access.
The Log Analytics Gateway is an HTTP forward proxy that supports HTTP tunneling using the HTTP CONNECT command. This gateway sends data to Azure Automation and a Log Analytics workspace in Azure Monitor on behalf of the computers that cannot directly connect to the internet. The gateway is only for log agent related connectivity and does not support Azure Automation features like runbook, DSC, and others.
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@zied
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?