Forwarding SYSLOG through a OMS Data Gateway

Question

I have an ARM IOT device that has about 64Gb of storage and can't support a OMS agent. I have setup a OMS Data Gateway on windows 10 and pointed the SYSLOG to the windows box. Confirmed its sending SYSLOG but OMSDG isn't picking it up and forwarding it to Sentinel. The OMS Gateway looks pretty simple and I have confirmed that the IOT device is sending SYSLOG. I am getting heartbeats from the OMS agent on windows. Where am I screwing up?

Answer 1

Hi @Leif Davisson ,

If I understood correctly your scenario, there are few things to clarify here:

The Log Analytics (OMS) Gateway is intended to act as a proxy when you want to connect Log Analytics Agents running on VMs without internet access to a Log Analytics Workspace (it cannot be used as a Syslog Forwarder):

Now, you have a Syslog source where you cannot install the Log Analytics (or Azure Monitor) Agent.
For you to be able to get that Syslog data in Sentinel, you need to use what is called a Syslog Forwarder.

The process is the following:

1. Install a Linux Log Analytics Agent on a Linux VM and ensure is connected to the Sentinel Workspace (directly or through a Log Analytics Gateway if the VM is not having internet access)
2. Configure the Syslog Collection from the Log Analytics Workspace (from Legacy Agents Management --> Syslog)
   
3. Configure your Syslog Source (your ARM IOT device) to forward the Syslog data to the Linux Forwarder you configured at step 1 on the facility you configured to be collected at step 2

These instructions are also presented here.

I hope that this is the info you're looking for.

BR,
George

Answer 2

Everything looks right I am just not see anything in Sentinel that tells me its ingesting logs. @George Moise

Answer 3

Are you sure that's supported on windows?
When it comes to syslog I always use rsyslog with linux, along with the agent of course.

Answer 4

Probably not. I spun up a Linux VM and installed OMS Agent.

This is really confusing, there is a windows data gateway, windows agent, linux agent but not a gateway( but it intakes syslog ), a docker instance but only for cloud app defender.

CHECKING INSTALLATION...
Checking if running a supported OS version...
ERROR(S) FOUND.

================================================================================

================================================================================

ALL ERRORS/WARNINGS ENCOUNTERED:
ERROR FOUND: This version of Ubuntu (22.04) is not supported. Please download 14.04, 16.04, 18.04 or 20.04. To see all supported Operating Systems, please go to:

https://learn.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#supported-linux-operating-systems

Answer 5

I want to thank you guys for your patience while I learn this product. Seems like there are a lot of exception and multiple ways of achieving the same goal and some transitions to new product lines. @George Moise @David Broggy

I rebuilt the linux box with 20.04 ubuntu and OMS connected right away. I think I got confused at that the OMS Agent has to be a SYSLOG Server to collect logs from the endpoint for some reason I though that OMS would make those changes for me. Confirmed OMS agent Syslog ingesting and ARM IOT device Ingesting into Log Analytics Workspace.

BTW Sentinel caught me download a Ubuntu ISO over Torrent. HEHE.