How can I connect GNS3 network to Microsoft Sentinel?

Question

How can I connect GNS3 network to Microsoft Sentinel?

Miloslav Šťastný 21

Hello,
I am trying to use a GNS3 network as input data to Microsoft Sentinel. My GNS3 server with GNS3 network is running on a virtual Linux machine, so I can monitor it with Syslog connector successfully. However I am unable to detect anything from the GNS3 network. Any idead how to solve this? I would be grategul for any answer.

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-05-17T02:52:40.613+00:00

Hello @Miloslav Šťastný , can you provide more detail about your GNS3 env and Sentinel/connector setup?
Miloslav Šťastný 21 Reputation points

2022-05-26T11:52:50.767+00:00

Hello, I solved it. Anyway, I have a virtual Linux machine running in Azure and there´s a GNS3 network on the machine.
config:

/etc/rsyslog.conf Configuration file for rsyslog.

For more information see

/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

Default logging rules can be found in /etc/rsyslog.d/50-default.conf

MODULES

module(load="imuxsock") # provides support for local system logging
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log" CreatePath="on")
module(load="immark") # provides --MARK-- message capability

provides UDP syslog reception

module(load="imudp")
input(type="imudp" port="514")

provides TCP syslog reception

module(load="imtcp")
input(type="imtcp" port="514")

provides kernel logging support and enable non-kernel klog messages

module(load="imklog" permitnonkernelfacility="on")

GLOBAL DIRECTIVES

Use traditional timestamp format.

To enable high precision timestamps, comment out the following line.

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Filter duplicated messages

$RepeatedMsgReduction on

Set the default permissions for all log files.

$FileOwner syslog
$FileGroup adm

Answer accepted by question author

1 additional answer

Your answer

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-05-17T02:52:40.613+00:00

Hello @Miloslav Šťastný , can you provide more detail about your GNS3 env and Sentinel/connector setup?
Miloslav Šťastný 21 Reputation points

2022-05-26T11:52:50.767+00:00

Hello, I solved it. Anyway, I have a virtual Linux machine running in Azure and there´s a GNS3 network on the machine.
config:

/etc/rsyslog.conf Configuration file for rsyslog.

For more information see

/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

Default logging rules can be found in /etc/rsyslog.d/50-default.conf

MODULES

module(load="imuxsock") # provides support for local system logging
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log" CreatePath="on")
module(load="immark") # provides --MARK-- message capability

provides UDP syslog reception

module(load="imudp")
input(type="imudp" port="514")

provides TCP syslog reception

module(load="imtcp")
input(type="imtcp" port="514")

provides kernel logging support and enable non-kernel klog messages

module(load="imklog" permitnonkernelfacility="on")

GLOBAL DIRECTIVES

Use traditional timestamp format.

To enable high precision timestamps, comment out the following line.

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Filter duplicated messages

$RepeatedMsgReduction on

Set the default permissions for all log files.

$FileOwner syslog
$FileGroup adm

Answer 1

David Broggy 6,616 MVP Volunteer Moderator

Hi @Miloslav Šťastný
Microsoft Sentinel expects that any servers you want to monitor are running their monitoring agent.
In the Azure portal, type ‘log analytics workspace’ in the top search box.
Open the Log Analytics Workspace that is associated with your Sentinel configuration.
Select the ‘Agents’ section and go to the Linux tab.
You will see a curl command you can use to download and install the Azure Monitor (OMS) agent.
Once this agent is installed you should have logs showing up in Sentinel as described in the Windows Security Events connector configuration (in the Sentinel > Connectors UI)

Miloslav Šťastný 21 Reputation points

2022-05-26T11:57:00.02+00:00

Thank you, I had done it before I asked my question. I had to set logging on each device in the GNS3 network, so the logs were sent to agent.

Answer 2

Miloslav Šťastný 21

Thank you for your help, I have eventually solved it.

Share via

How can I connect GNS3 network to Microsoft Sentinel?

/etc/rsyslog.conf Configuration file for rsyslog.

For more information see

/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

Default logging rules can be found in /etc/rsyslog.d/50-default.conf

MODULES

provides UDP syslog reception

provides TCP syslog reception

provides kernel logging support and enable non-kernel klog messages

GLOBAL DIRECTIVES

Use traditional timestamp format.

To enable high precision timestamps, comment out the following line.

Filter duplicated messages

Set the default permissions for all log files.

1 additional answer

Your answer