Syslog has a built-in connector https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog However sometimes you need a parser to format the data
Ideal way to send the NetFlow and Syslog data to Sentinel.
I want to send NetFlow and Syslog data into my sentinel account.
For Netflow, I found out that with the help of filebeat and logstash we can send the NetFlow data to sentinel. But it has many flows like the data is getting duplicated, the format is not proper, etc. And the same is true for Syslog.
So, I need a proper way to send NetFlow and Syslog data into sentinel.
So, can you please help me with this?
Microsoft Security Microsoft Sentinel
2 answers
Sort by: Most helpful
-
Clive Watson 7,866 Reputation points MVP Volunteer Moderator
2023-02-21T16:19:04.6866667+00:00 -
Bill Clarkson-Antill 15 Reputation points MVP
2023-03-14T20:21:57.9933333+00:00 A syslog forwarder or Logstash forwarder are solid ways to push data into Sentinel for CEF/Syslog and Netflow type. Logstash is almost the preferred way due to the data transformation feature you can leverage on Logstash, it has some really useful features where you can shape and drop logs that you simply don't need.
NetFlow will be super noisy and having a way to control what you need and don't need is advisable.
See reference below for data transformations and logstash
https://learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules