Share via

Syslog via Legacy Agent Microsoft Sentinel

jreece22 0 Reputation points
2024-03-20T14:27:59.3366667+00:00

We have an Ubuntu Azure VM for our log collector for Sentinel. We have had some issues with the syslog via legacy agent as of late, but those have been resolved. (Yes I know this connector is going away, but for now I want it working). We send logs from Ubiquiti and ThinkstCanary among others via this syslog connector. Prior to the issues where it all stopped working, those logs were coming in and I could search them using the Syslog table, "Syslog | where SyslogMessage contains "ap-north"" for example. Now the only logs that seem to flow into sentinel are logs for the VM itself and that is all.

I am not sure why this is happening. Does anyone have any suggestions?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2024-03-22T07:22:44.7266667+00:00

    @jreece22

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have the Log Analytics Agent to accepts CEF logs and forwarding them on to your Microsoft Sentinel workspace. However, you could only see logs from Linux machine is supposed will forward the logs from other devices too.

    Please do correct me if this is not the case by responding in the comments section.

    This looks like an issue with Syslog collector. Kindly follow the given actions and verify the results:

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments