1,299 questions
Syslog has a built-in connector https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog However sometimes you need a parser to format the data
Ideal way to send the NetFlow and Syslog data to Sentinel.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 44%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Harsh Patel
5
Reputation points
I want to send NetFlow and Syslog data into my sentinel account.
For Netflow, I found out that with the help of filebeat and logstash we can send the NetFlow data to sentinel. But it has many flows like the data is getting duplicated, the format is not proper, etc. And the same is true for Syslog.
So, I need a proper way to send NetFlow and Syslog data into sentinel.
So, can you please help me with this?
Microsoft Security Microsoft Sentinel
{count} vote
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator2023-02-28T18:36:03.4666667+00:00 I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-03-01T21:46:57.8866667+00:00 I just wanted to check in and see if you had any other questions or if you had a chance to review Clive's answer?
Sign in to comment
2 answers
Sort by: Most helpful
-
Clive Watson 7,866 Reputation points MVP Volunteer Moderator2023-02-21T16:19:04.6866667+00:00 -
Clive Watson 7,866 Reputation points MVP Volunteer Moderator
2023-02-24T09:20:31.7066667+00:00 Hello can you please "Accept the answer" if the information helped you, this helps the community ?
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-02-27T23:08:25.4533333+00:00 I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
-
Harsh Patel 5 Reputation points
2023-03-09T10:42:59.1766667+00:00 Yes, I guess LAA is going to retire by 2024. So, is there any other way?
-
Clive Watson 7,866 Reputation points MVP Volunteer Moderator
2023-03-09T14:13:09.4533333+00:00 You can use the AMA to do this rather than the MMA. https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-03-13T18:31:01.7966667+00:00 I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? Thank you for your time and patience throughout this.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment -
-
Bill Clarkson-Antill 15 Reputation points MVP2023-03-14T20:21:57.9933333+00:00 A syslog forwarder or Logstash forwarder are solid ways to push data into Sentinel for CEF/Syslog and Netflow type. Logstash is almost the preferred way due to the data transformation feature you can leverage on Logstash, it has some really useful features where you can shape and drop logs that you simply don't need.
NetFlow will be super noisy and having a way to control what you need and don't need is advisable.
See reference below for data transformations and logstash
https://learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules