Syslog via Legacy Agent Microsoft Sentinel

jreece22 0 Reputation points
2024-03-20T14:15:59.95+00:00

I have an ubuntu azure vm for our syslog connector that has the Syslog via Legacy Agent connected to it. Many of our resources we have use the syslog connector for sending logs to Sentinel. I had some issues with the connector, but finally resolved them to where logs are flowing into our Sentinel, but only logs pertaining to the Ubuntu vm that the syslog connector is connected to.

For example, we were sending Ubiquiti logs and ThinkstCanary logs, but none of them are showing up now.

Any thoughts or ideas why this would be happening? I've followed all the Microsoft troubleshooting steps, but still only the VM logs are coming in.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
971 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sedat SALMAN 13,070 Reputation points
    2024-03-20T14:50:50.4833333+00:00

    for debugging start with using tools like tcpdump on the Ubuntu VM to verify if logs are reaching the server at all. In Sentinel, go to Data connectors and open the Syslog connector. Verify that the selected facilities align with those configured in your rsyslog configuration and Check the Logs tab in the connector and look for errors, using filters if necessary.