question

Miloslavastn-0626 avatar image
0 Votes"
Miloslavastn-0626 asked Miloslavastn-0626 answered

How can I connect GNS3 network to Microsoft Sentinel?

Hello,
I am trying to use a GNS3 network as input data to Microsoft Sentinel. My GNS3 server with GNS3 network is running on a virtual Linux machine, so I can monitor it with Syslog connector successfully. However I am unable to detect anything from the GNS3 network. Any idead how to solve this? I would be grategul for any answer.

microsoft-sentinelazure-virtual-machines-monitoring
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @miloslavastn-0626, can you provide more detail about your GNS3 env and Sentinel/connector setup?

1 Vote 1 ·

Hello, I solved it. Anyway, I have a virtual Linux machine running in Azure and there´s a GNS3 network on the machine.
config:

/etc/rsyslog.conf Configuration file for rsyslog.

For more information see

/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

Default logging rules can be found in /etc/rsyslog.d/50-default.conf



MODULES


module(load="imuxsock") # provides support for local system logging
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log" CreatePath="on")
module(load="immark") # provides --MARK-- message capability

provides UDP syslog reception

module(load="imudp")
input(type="imudp" port="514")

provides TCP syslog reception

module(load="imtcp")
input(type="imtcp" port="514")

provides kernel logging support and enable non-kernel klog messages

module(load="imklog" permitnonkernelfacility="on")

GLOBAL DIRECTIVES


Use traditional timestamp format.

To enable high precision timestamps, comment out the following line.

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Filter duplicated messages

$RepeatedMsgReduction on

Set the default permissions for all log files.

$FileOwner syslog
$FileGroup adm

0 Votes 0 ·
DavidBroggy-5270 avatar image
0 Votes"
DavidBroggy-5270 answered Miloslavastn-0626 commented

Hi @Miloslavastn-0626
Microsoft Sentinel expects that any servers you want to monitor are running their monitoring agent.
In the Azure portal, type ‘log analytics workspace’ in the top search box.
Open the Log Analytics Workspace that is associated with your Sentinel configuration.
Select the ‘Agents’ section and go to the Linux tab.
You will see a curl command you can use to download and install the Azure Monitor (OMS) agent.
Once this agent is installed you should have logs showing up in Sentinel as described in the Windows Security Events connector configuration (in the Sentinel > Connectors UI)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, I had done it before I asked my question. I had to set logging on each device in the GNS3 network, so the logs were sent to agent.

0 Votes 0 ·
Miloslavastn-0626 avatar image
0 Votes"
Miloslavastn-0626 answered

Thank you for your help, I have eventually solved it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.