Importing WatchGuard syslogs into Sentinel

Question

Importing WatchGuard syslogs into Sentinel

RebeccaJones-4974 0

I was previously using the Watchguard data connector to collect syslogs produced by my Watchguard appliances. Since 17th December this has stopped working. I am now trying to setup the CEF option to retrieve these syslogs from my Azure Linux VM which is acting as my syslog server. I have installed both the CEF and AMA agent on my Linux machine and I can see the logs coming into it from my firewalls. The firewalls are exporting logs as syslogs and there is no other option except IBM LEEF (whatever that is!) Common Event Format (CEF) via AMA (Preview) reports that it is connected but it is not bringing in any data. Common Event Format (CEF) via Legacy Agent is reporting that it is not connected. Both collectors installed with no issues on my Linux machine. I am also seeing this message: Connectors queries got the following errors Connector: 'WatchGuard Firebox'. The query used for connectivity check is invalid:
'The request had some invalid properties': 'Detected multiple functions with the same name: 'WatchGuardFirebox'. Resolve the conflict to allow these functions to be used in a query.' Can anyone asssit? Thanks.

RebeccaJones-4974 0 Reputation points

2024-01-12T13:08:57.93+00:00

The error message I am getting has now changed. Its now this: Detected multiple functions with the same name: 'WatchGuardFirebox'. Resolve the conflict to allow these functions to be used in a query.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-22T20:31:57.7633333+00:00

@Rebecca Jones
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

RebeccaJones-4974 0 Reputation points

2024-01-12T13:08:57.93+00:00

The error message I am getting has now changed. Its now this: Detected multiple functions with the same name: 'WatchGuardFirebox'. Resolve the conflict to allow these functions to be used in a query.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-22T20:31:57.7633333+00:00

@Rebecca Jones
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Hi Rebecca,

Since you mention you installed BOTH CEF and AMA, it makes me think you're getting the old (OMS + CEF) and new (just AMA) methods mixed up.

I have a blog on the setup here:

https://simple-security.ca/2023/05/05/configuring-the-new-ama-and-arc-agent-to-forward-syslog-to-sentinel/

So my suggestion is:

uninstall your agent(s)
follow the blog to install Arc.
Create a DCR which will apply the AMA agent (no need to install AMA and CEF directly - the DCR will do this via the Arc agent)
Enable the AMA with CEF data collector in Sentinel which will configure AMA to process CEF.
Use the troubleshooting script at the bottom of my blog - if you get all OKs from the script you're on a very good path.

Note: you are correct in not using LEEF - only IBM uses that for QRadar - it's not a format that was widely adopted by anyone.

Share via

Importing WatchGuard syslogs into Sentinel

1 answer

Your answer