Share via

Ingesting CEF logs into Sentinel using the AMA agent

mara7 166 Reputation points
2023-11-30T07:34:30.0533333+00:00

Hello,

I 'm testing about Stream CEF logs with the AMA connector on Sentinel.

I follow this docs.

https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-ama#test-the-connector

and I run Sentinel AMA Troubleshoot.py script.User's image

This is output of python script.

Troubleshooter_output_file -> output.txt

But I coundn't get logs on Log Analytics workspace.

Is there any missing?

Ref) port 514 is openUser's image

cef-fowader server : outbound port 443 open
User's image

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,604 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,274 questions
0 comments
Accepted answer
  1. Ryan Hill 30,266 Reputation points Microsoft Employee Moderator
    2023-12-08T02:51:17.0633333+00:00

    Hi @mara7

    Try running the following command to send a demo message,

    logger -p syslog.warn -P 514 -n 127.0.0.1 --rfc3164 -t CEF "0|Mock-test|MOCK|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive_time"

    If the message is successful, then the issue could be with your DCR configuration. You'll need to add additional facilities.

    In your output, it appears you're only pulling syslog and user. If your DCR is configured for additional facilities and you still don't see the demo message, then comment down below. We'll need to work more closely with you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.