Share via

log via syslog server agent to Azure Sentinel (list of IPs?) & dual agent to two Log Analytics workspace

Johnny C.Y. Tang 41 Reputation points
2022-03-04T11:15:48.127+00:00

Hi,

I am currently looking at setting up something like this:

Security devices > syslog server > Microsoft Sentinel

In order to tie down/restrict somewhat the access this syslog server has, is there a list of known IPs for Microsoft Sentinel?

Another bonus question please :D

For one of the firewalls (one of the security devices mentioned above) we are looking to send a full set to Sentinel via this syslog server, PLUS a smaller subset of the SAME log (but with only selected columns/fields) to another Log Analytics workspace. This might be outside of scope of the syslog server agent but is there a guide on how to get this setup please?

Many thanks.

JT

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 9,776 Reputation points Microsoft Employee
    2022-03-04T11:48:13.23+00:00

    There are no special IPs for Syslog. It encrypts the traffic using TSL 1.2 to the standard public endpoints. Both the AMA and MMA agents share the same firewall requirements. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/log-analytics-agent#firewall-requirements

    The MMA agent on Linux does not support dual homing. The new AMA agent does support dual homing on Linux. I assume you would simply setup two DCR rules.

    0 comments