Please see instructions at: Azure Sentinel Grand List
- You will see the Logs in the Logs Blade within Azure Sentinel in the Syslog table. https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello Everyone,
I would like to inject logs from our Meraki devices into Azure Sentinel. From everything I've read, a Linux syslog server is needed to act as a log collector/forwarder to collect logs from the Meraki devices and then forward them to Sentinel.
I've built a Linux Ubuntu vm in Azure. I've also connected the Linux vm to Azure Sentinel connector. I've also installed the Azure monitoring agent on the Linux server.
I have some questions:
I am not a Linux guy at all so detail step by step instructions will be greatly appreciated here.
Thank you in advance.
Kit Cheng
Please see instructions at: Azure Sentinel Grand List
Hi Kit, The Log collector (syslog server) will have (or need to have) the Azure Sentinel agent installed on it and that would be configured to send the data to Log Analytics / Azure Sentinel, which you have already done.
The most simple way and mainly using the UI to query the data, is to Open the Logs blade, Double Click on Syslog (under the "LogsManagement" folder, and then press Run
Any (working) agent will also write to the Heartbeat Table, once again in the Logs Blade again you can paste this query and press run. You should be able to see your Linux server in the list and it will show the last record received. If you don't, then it means no data has been sent from the Linux server to Azure Sentinel yet.
Heartbeat
| where OSType == "Linux"
| summarize arg_max(TimeGenerated,*) by Computer
A lot of queries can be written without knowing the code language and using the UI, but we can discuss that, when you have data in the Syslog table.
Have you checked Syslog or the required facility is enabled for collection (the only Facility I see in your screen shot is authpriv, but that maybe just the snapshot you are showing)?
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-syslog#configure-syslog-in-the-azure-portal
Hi CliveWatson-3295,
I called Microsoft and followed an article they provided to create a custom log and now I am able to see the logs that I was looking for. Here's the article in case anyone needs it - Collect custom logs with Log Analytics agent in Azure Monitor - Azure Monitor | Microsoft Learn
Thanks for your help.
Kit
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more