Azure Sentinel (IIS, SQL, Syslog server)

Question

Hello,

I am new to Azure Sentinel - so i need to implement this solution.

So basically i need to collect logs from Active Directory, IIS, SQL Server make SYSLOG (linux) server which will collect Windows Firewall Logs and then send it's to Syslog server which will send it to azure sentinel.

Ok. So For AD, IIS, SQL on-premise server what i need to do i install MMA agent and connect to my Azure Sentinel workspace.
And how i figured out that i need to select "Common" option.

But what about IIS, SQL server logs? - have i need to do some additional configuration to receive logs?

Also what are most common queries for this servers to create or use?

Also how could i now that Azure Sentinel is trial? And where to see when it will be over?

Or i need to schedule log collecting deadline ? - is this possible?

Answer 1

To retrieve SQL server logs using Azure Sentinel, you need to enable audit on SQL server and create a policy Audit, write SQL Server audit events to the security log, and send logs from SQL Server to Azure Sentinel using Microsoft Monitoring Agent. You can follow the steps for this here: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960

To collect IIS logs, you can use the Azure Log Analytics agent in conjunction with an Azure Sentinel connector as described here.

See also:
https://techcommunity.microsoft.com/t5/azure-sentinel/is-it-possible-to-import-logs-that-are-being-written-into-an-sql/m-p/1494200
https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-ver15
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-iis-logs
https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources

Hope this helps!

Answer 2

Also i got question about DNS logs.

I turned DNS logging on. Also enabled on-prem DNS server debug logging.

But Azure Sentinel doesnt receive Event ID 257 and logs from debug