This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 39%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hello Everyone,
I would like to inject logs from our Meraki devices into Azure Sentinel. From everything I've read, a Linux syslog server is needed to act as a log collector/forwarder to collect logs from the Meraki devices and then forward them to Sentinel.
I've built a Linux Ubuntu vm in Azure. I've also connected the Linux vm to Azure Sentinel connector. I've also installed the Azure monitoring agent on the Linux server.
I have some questions:
I am not a Linux guy at all so detail step by step instructions will be greatly appreciated here.
Thank you in advance.
Kit Cheng
Please see instructions at: Azure Sentinel Grand List
Thanks for the reply. At this point, I think I'm getting the logs to the log collector (the Linux server) but I just don't know how to see them in Sentinel. More specifically, I don't know how to query them if that make sense. I'm a mouse click guy, not a CLI or PowerShell guy, that's my challenge.
Thanks
Kit
Hi Kit, The Log collector (syslog server) will have (or need to have) the Azure Sentinel agent installed on it and that would be configured to send the data to Log Analytics / Azure Sentinel, which you have already done.
The most simple way and mainly using the UI to query the data, is to Open the Logs blade, Double Click on Syslog (under the "LogsManagement" folder, and then press Run
Any (working) agent will also write to the Heartbeat Table, once again in the Logs Blade again you can paste this query and press run. You should be able to see your Linux server in the list and it will show the last record received. If you don't, then it means no data has been sent from the Linux server to Azure Sentinel yet.
Heartbeat
| where OSType == "Linux"
| summarize arg_max(TimeGenerated,*) by Computer
A lot of queries can be written without knowing the code language and using the UI, but we can discuss that, when you have data in the Syslog table.
Hi Clive-Watston-3295,
Thank you very much. This was helpful. So, just by typing in 'syslog' and hit run, I have some results to look at but they all seems to be log of the local server itself. I know there are a bunch of log entries going into this file: /var/log/syslog but it seems like the server is not sending this file to Azure Sentinel or at least I don't think I am seeing those entries.
These are what I am seeing in Sentinel logs
And they don't correlate to what I see in the syslog file.
I hope this make sense.
Thanks
Kit
Have you checked Syslog or the required facility is enabled for collection (the only Facility I see in your screen shot is authpriv, but that maybe just the snapshot you are showing)?
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-syslog#configure-syslog-in-the-azure-portal
Yes, you are correct, I only clipped a few rolls in the screenshot. Is this what you are talking about?
There are a few thousands line of the logs but I few that they are just logs of the local Linux server, not from the Cisco Meraki devices. The reason I say that is when I actually look at the syslog file in /var/log, I see logs showing the Meraki devices' IP address and their device name. Those logs I don't see in Azure Sentinel. My gut feeling is that the syslog server is not sending THAT file to Azure Sentinel. So my question is, how do I check it that's what's happening and if it is, how do I fix it.
Thanks for your help so far.
Kit
Hi CliveWatson-3295,
I called Microsoft and followed an article they provided to create a custom log and now I am able to see the logs that I was looking for. Here's the article in case anyone needs it - Collect custom logs with Log Analytics agent in Azure Monitor - Azure Monitor | Microsoft Learn
Thanks for your help.
Kit
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more