AMA+DCR for Syslog & CEF logs. CEF logs in CommonSecurityLog not parsing .

Hann, Yap Sheu 20 Reputation points
2023-09-08T07:11:58.8+00:00

Referring to this article: https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog

I trying to solution the following scenario:

  • Using a single Linux log collector to forward both Syslog and CEF events to your Microsoft Sentinel workspaces using the Azure Monitor Agent (AMA).
  • Ingest Syslog events in the Syslog table and CEF events in the CommonSecurityLog table.

According to the above article, there are two options to segregate the Syslog events and CEF events:

(1) Use the source device enables configuration of the target facility.

(2) Use an ingest time transformation to filter out CEF messages from the Syslog stream

I have successfully implemented (1), where i control the Syslog source device logging facility to auth, and CEF source device logging facility to localx. Then in the DCR i create two dataSources, one for Syslog events which allow facility auth only, and output to Syslog table. Another stream for CEF events, which allow facility localx only, and output to CommonSecurityLog table, both table's event is parsed perfectly.

I have not able to implement (2). I created a DCR with single dataSources, and two different dataFlows.

dataFlows stream 1 control the syslog events with this transformKQL: "source | where ProcessName !contains "CEF""

"outputStream": "Microsoft-Syslog"

dataFlows stream 2 control the CEF events with this transformKQL: "source | where ProcessName contains "CEF""

"outputStream": "Microsoft-CommonSecurityLog"

Both Syslog event and CEF event successfully written into Syslog and CommonSecurityLog respectively, but only CEF event are not parsed in the table. 90% of the fields are blank. Syslog event was ok, parsed perfectly.

User's image

*As image shown, 24 Aug events are via option 1(control source log facility). Parsing is working fine.

*As image shown, 7 Sep events are via option2(transformKQL). Parsing is not working.

What did i missed here? I implement the setup all according to Microsoft documentation. See attached dcr:

dcr-CEF_SyslogTransformKQL.txt

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,040 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 30,251 Reputation points Microsoft Employee
    2023-09-28T04:33:08.72+00:00

    @Hann, Yap Sheu I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Solution: Resolved by @Hann, Yap Sheu

    User's image

    If you have any other questions or are still running into more issues, please let me know.
    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Clive Watson 5,951 Reputation points MVP
    2023-09-08T12:32:23.5+00:00

    I suspect this is a schema issue, writing Syslog --> CEF. Marko has a recent article where he resolves this for a custom log, perhaps this is worth a look: https://www.linkedin.com/pulse/filter-split-firewallcef-logs-multiple-sentinel-tables-marko-lauren/

    You ultimately may need to modify the transformKQL to do the Column mapping for Syslog --> CEF (i.e. it doesnt know what to put in the DeviceVendor column etc...)


  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more