Ingesting CEF logs into Sentinel using the AMA agent

mara7 161 Reputation points
2023-11-30T07:34:30.0533333+00:00

Hello,

I 'm testing about Stream CEF logs with the AMA connector on Sentinel.

I follow this docs.

https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-ama#test-the-connector

and I run Sentinel AMA Troubleshoot.py script.User's image

This is output of python script.

Troubleshooter_output_file -> output.txt

But I coundn't get logs on Log Analytics workspace.

Is there any missing?

Ref) port 514 is openUser's image

cef-fowader server : outbound port 443 open
User's image

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,986 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,048 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ryan Hill 26,946 Reputation points Microsoft Employee
    2023-12-08T02:51:17.0633333+00:00

    Hi @mara7

    Try running the following command to send a demo message,

    logger -p syslog.warn -P 514 -n 127.0.0.1 --rfc3164 -t CEF "0|Mock-test|MOCK|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive_time"
    

    If the message is successful, then the issue could be with your DCR configuration. You'll need to add additional facilities.

    In your output, it appears you're only pulling syslog and user. If your DCR is configured for additional facilities and you still don't see the demo message, then comment down below. We'll need to work more closely with you.

    0 comments No comments

0 additional answers

Sort by: Most helpful