Sentinel AMA/CEF connector works but doesn't collect local syslog even with all facility log levels set to debug

Question

Hi there,

I'd like to know if anyone has been successful in collecting LOCAL syslog data with the AMA/CEF connector.

My observations:

• Default RedHat 8.6 VM running in Azure.
• DCR enabled from Sentinel with all facilities set to debug. (VM is in scope)
• Heartbeat logs are seen in log analytics
• no 'local' syslog activity is being collected and sent to sentinel.
• running the diagnostics script generates MOCK logs in CommonSecurityLog
• (SELinux is disabled)

I'm hoping someone has seen this issue and can tell me how I can collect the local logs like ssh logins etc.

Answer 1

Hello David,

The issue is DCR you created from Microsoft Sentinel is only to collect data in CEF format.

If you wish to collect data in Syslog format. you would have to create DCR for Syslog separately.

Currently there is no connector for collecting Syslog via AMA and you would have to create DCR directly from the Monitor side

You can follow the link below to get syslog format data to Workspace using AMA.

Tutorial: Forward syslog data to a Log Analytics workspace by using the Azure Monitor agent

Answer 2

My recommendation is to use the support request option found at the bottom of the Workspace menu.

Answer 3

It works, but is flaky not sure what the silver bullet is, but giggling with the DCR facilities to force it to update may/will eventually kick it into life, or wait a while.

Key is seeing it create the syslog conf files in /etc/rsyslog.d

05-azuremonitoragent-loadomuxsock.conf

Azure Monitor Agent configuration: load rsyslog forwarding module.

$ModLoad omuxsock

10-azuremonitoragent.conf

Azure Monitor Agent configuration: forward logs to azuremonitoragent

$OMUxSockSocket /run/azuremonitoragent/default_syslog.socket

template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" string="<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%")

$OMUxSockDefaultTemplate AMA_RSYSLOG_TraditionalForwardFormat

Forwarding all events through Unix Domain Socket

. :omuxsock:

That's nicer than the * @@127.0.0.1:someport the previous agent used

THEN you also need to check it's spun up the IPC/Domain socket(s)

This one is working

root@syslog01:/usr/local/bin# ls -l /run/azuremonitoragent/*

srw-rw-rw- 1 syslog syslog 0 May 15 11:53 /run/azuremonitoragent/default_bond.socket

srw-rw-rw- 1 syslog syslog 0 May 15 11:53 /run/azuremonitoragent/default_djson.socket

srw-rw-rw- 1 syslog syslog 0 May 15 11:53 /run/azuremonitoragent/default_fluent.socket

srw-rw-rw- 1 syslog syslog 0 May 15 11:53 /run/azuremonitoragent/default_influx.socket

srw-rw-rw- 1 syslog syslog 0 May 15 11:53 /run/azuremonitoragent/default_json.socket

-rw------- 1 syslog syslog 5 May 15 11:53 /run/azuremonitoragent/default.lock

-rw-r--r-- 1 root root 5 May 15 11:53 /run/azuremonitoragent/default.pid

-rw-r----- 1 syslog syslog 20 May 15 11:53 /run/azuremonitoragent/default.pidport

srw-rw-rw- 1 syslog syslog 0 May 15 11:53 /run/azuremonitoragent/default_syslog.socket

This one isn't

root@isolatedsyslog01:~# ls -lrt /run/azuremonitoragent/*

-rw-r--r-- 1 root root 4 May 22 10:21 /run/azuremonitoragent/default.pid

-rw------- 1 syslog syslog 4 May 22 10:21 /run/azuremonitoragent/default.lock

And that's why I'm here

this is behind a proxy will ask a separate question but hope the above helps somebody