I have setup AMA agents with DCR , we are receiving logs . For windows through AMA receiving through "Windows Security Events via AMA" connector and it is showing DCR's created. My question is , why is it sending linux logs through Syslog connector. Its not sending over 514 right , its all through API and through 443 I believe . Why is Syslog connector showing as receiving logs when all through AMA and which is not on 514 ofcourse . Not sure what am I missing out on here.

Hi @Soumya Banerjee , Welcome to Microsoft Q&A! Thanks for posting the question. Based on my understanding, you are seeing connection to port 514 (which is used for forwarding syslog to syslog server) from your Linux VM running in Azure/ Arc enabled VM. I did a test by installing "Azure Monitor Agent (AzureMonitorLinuxAgent extension) on an Azure VM through DCR and collected a network trace using tcpdump on this machine. I did not see any communication for port 514 on my machine and confirm that the syslog messages are getting collected in LogAnalytics Workspace. It looks like syslog forwarding is enabled on you machine through some other mechanism because of which you are seeing connection on port 514. Can you please check and confirm that? Also, in case the suggestion above does not help, can you please share details on - how are you seeing connection on port 514? Please check the IP as well and see if it belongs to any centralized Log/Event Message collector (or syslog server). For your reference, this link contains the IP used by Azure Monitor. Please let me know if you have any questions. --- Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Logs through AMA agents - Microsoft Q&A

Accepted answer

AnuragSingh-MSFT 21,246 Reputation points

2022-03-24T06:49:12.547+00:00

Hi @Soumya Banerjee ,

Welcome to Microsoft Q&A! Thanks for posting the question.

Based on my understanding, you are seeing connection to port 514 (which is used for forwarding syslog to syslog server) from your Linux VM running in Azure/Arc enabled VM. I did a test by installing "Azure Monitor Agent (AzureMonitorLinuxAgent extension) on an Azure VM through DCR and collected a network trace using tcpdump on this machine. I did not see any communication for port 514 on my machine and confirm that the syslog messages are getting collected in LogAnalytics Workspace.

It looks like syslog forwarding is enabled on you machine through some other mechanism because of which you are seeing connection on port 514. Can you please check and confirm that?

Also, in case the suggestion above does not help, can you please share details on - how are you seeing connection on port 514? Please check the IP as well and see if it belongs to any centralized Log/Event Message collector (or syslog server). For your reference, this link contains the IP used by Azure Monitor.

Please let me know if you have any questions.

---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.
Please sign in to rate this answer.
Soumya Banerjee 126 Reputation points

2022-03-24T07:52:10.253+00:00

Hi @AnuragSingh-MSFT ,

You mentioned the logs are reaching into the log analytics workspace in the created test instance.

For your test instance, Are the logs reaching through the connector "Syslog" in sentinel ? when you click open the syslog connector does it show data in graph?

If not then how the logs are reaching to LAW, can you describe a bit.

In my case since its showing a data graph when you view the "Syslog" connector, so I thought its coming through 514 .

Note: I have not done a n/w trace to confirm if its coming through 514. But I thought , if its coming through the Syslog connector then maybe using 514.

AnuragSingh-MSFT 21,246 Reputation points

2022-03-25T02:10:48.007+00:00

@Soumya Banerjee , thank you for the clarification. I used the AMA agent deployed using Data Collection Rule to collect Syslog to Log Analytics Workspace. This method installs AMA locally on the machine and forwards the syslog messages (if configured through DCR) to LA API over 443.

In your scenario with Azure Sentinel's Syslog connector, the Log Analytics agent (formerly known as OMS agent) installed on the machine is used to collect syslog messages. Here also, a similar method is used i.e., the messages are ingested in LA workspace using LA APIs over 443. The only difference is that you have an option to configure log forwarder which connects to LA workspace. Please refer to the Collect data from Linux-based sources using Syslog - Azure Sentinel, especially the architecture section of this doc.

Please let me know if you have any questions.

---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Soumya Banerjee 126 Reputation points

2022-03-25T04:32:18.623+00:00

@AnuragSingh-MSFT , thanks much for the answer.

So, does data still show up in syslog connector in sentinel , when only using AMA with DCR ?
As, that's my initial question , because we are using AMA with DCR .
Hence we were expecting no data to show up in syslog connector inside sentinel after using AMA.
Thats why I asked how does it show in your test environment? Does it pick up syslog connector or sending to LA directly without any use of syslog connector ? As for windows there is a separate connector through AMA but nothing for linux ones.

Or does it mean that we have not configured AMA properly and hence still data being sent through OMS and hence showing through syslog connector

AnuragSingh-MSFT 21,246 Reputation points

2022-03-25T06:49:17.687+00:00

@Soumya Banerjee , thank you for the reply. Yes, data still show up in syslog connector in sentinel, when only using AMA with DCR - if you have enabled Azure Sentinel for the same Log Analytics Workspace which is also the Destination for Syslog DCR for this Linux machine.

Please note that there are mainly two agents which can send data from Linux machine to Log Analytics Workspace - Log Analytics Agent (also called OMS agent) and the newer Azure Monitor Agent. Ref: Azure Monitor Linux Agent.

When you enable the Sentinel (which uses LA Workspace as the backend), the data for syslog connector is pulled from Workspace and displayed in Sentinel Dashboard/workbook. If the Linux machine does not have AMA installed using DCR, you may also use Log Analytics agent for the same purpose. The end goal is that data is ingested in LA Workspace and used by Sentinel for analytics and intelligence.

In my scenario as well, I have installed AMA using DCR on Linux VM and Sentinel is enabled for the same Workspace to which AMA is sending data. I can see the analysis in Sentinel using this configuration. This is all through LA API over 443, unless log forwarder is enabled as mentioned above.

I hope this clarifies your doubt.

--
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.
Sign in to comment

Share via

Logs through AMA agents

0 additional answers