Can OMS agent pick up firewall logs from firewall management on syslog server?

Yong Da Ong 26 Reputation points
2022-11-29T04:14:35.62+00:00

Hi,

Current situation

  1. Firewall logs are being centralized at a firewall management
  2. Firewall manager is forwarding all logs (including the firewall sources) to a syslog server
  3. Installed OMS on syslog server to forward all logs to sentinel
  4. Able to see firewall manager logs but not the firewall logs on Sentinel query

Is there a way we can check/configure what is being pick up by the OMS agent?
Thanks

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,048 questions
{count} votes

1 answer

Sort by: Most helpful
  1. George Moise 2,351 Reputation points Microsoft Employee
    2022-11-29T08:35:21.23+00:00

    Hello @Yong Da Ong ,

    Once you have the Log Analytics Agent (OMS Agent) on the Linux Server (Syslog Server) where Syslog messages are forwarded, and if the Agent is connected correctly to the Log Analytics Workspace, then you can configure what Syslog Facilities you want to collect from the connected Agents from the Log Analytics Workspace resource page --> Legacy agents management --> Syslog and add the required Facilities in the collection configuration.
    This will instruct all connected Linux Agents to send the required syslog messages to the Log Analytics Workspace:

    265133-image.png

    I hope this helps!
    BR,
    George

    1 person found this answer helpful.