Share via

Azure Sentinel - Syslog log filtering on VM

Eduards 791 Reputation points
Feb 8, 2021, 11:45 AM

Hello,

I created VM (linux) for syslog role. I configured Sophos UTM to send firewall' 'daemon' 'information'' logs to the syslog server. Log further are sent to Azure Sentinel. From AS side I enabled daemon(info) logs receiving. So far all good.

Problem - so i'm receiving logs from Sophos UTM and there are lots of firewall logs (and they are consisting of info i want) but for example i have FW rule ID- 144 and it's total over 6 million entries which were sent to Azure Sentinel from syslog server.

Can i do some kind of firewall filtering? So i could determine which kind of fw rule id i need to sent to azure sentinel at syslog server level?

Or i need to do firewall log collecting and sending at Sophos UTM device level?

Also is there some kind of automation for clearing log files on syslog server because after 1 week of receiving logs it's disk drive is full and i need manually clear *.log file

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,242 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ofer Shezaf 1 Reputation point
    Feb 8, 2021, 1:55 PM

    You can find how to do it in the Log Forwarder deep dive in module 4 of the Azure Sentinel Ninja Training

  2. Eduards 791 Reputation points
    Feb 9, 2021, 12:54 PM

    Ok for example i created and 50-filter.conf file inside of rsyslog.d

    Which looks like this.

    65871-image.png

    So basically log which include fw rule id 144,96 will not be delivered to Azure Sentinel?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.