Forwarding SYSLOG through a OMS Data Gateway

LeifDavisson 41 Reputation points
2022-08-18T03:38:54.927+00:00

I have an ARM IOT device that has about 64Gb of storage and can't support a OMS agent. I have setup a OMS Data Gateway on windows 10 and pointed the SYSLOG to the windows box. Confirmed its sending SYSLOG but OMSDG isn't picking it up and forwarding it to Sentinel. The OMS Gateway looks pretty simple and I have confirmed that the IOT device is sending SYSLOG. I am getting heartbeats from the OMS agent on windows. Where am I screwing up?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,740 questions
0 comments No comments
{count} votes

Accepted answer
  1. George Moise 2,346 Reputation points Microsoft Employee
    2022-08-18T08:27:10.69+00:00

    Hi @LeifDavisson ,

    If I understood correctly your scenario, there are few things to clarify here:

    The Log Analytics (OMS) Gateway is intended to act as a proxy when you want to connect Log Analytics Agents running on VMs without internet access to a Log Analytics Workspace (it cannot be used as a Syslog Forwarder):

    232314-image.png

    Now, you have a Syslog source where you cannot install the Log Analytics (or Azure Monitor) Agent.
    For you to be able to get that Syslog data in Sentinel, you need to use what is called a Syslog Forwarder.

    The process is the following:

    1. Install a Linux Log Analytics Agent on a Linux VM and ensure is connected to the Sentinel Workspace (directly or through a Log Analytics Gateway if the VM is not having internet access)
    2. Configure the Syslog Collection from the Log Analytics Workspace (from Legacy Agents Management --> Syslog)
      232217-image.png
    3. Configure your Syslog Source (your ARM IOT device) to forward the Syslog data to the Linux Forwarder you configured at step 1 on the facility you configured to be collected at step 2

    These instructions are also presented here.

    I hope that this is the info you're looking for.

    BR,
    George

    1 person found this answer helpful.
    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. LeifDavisson 41 Reputation points
    2022-08-19T00:55:27.657+00:00

    Everything looks right I am just not see anything in Sentinel that tells me its ingesting logs. @George Moise

    232674-2022-08-18-17-53-43-select-c-windows-system32-cmde.png

    232673-2022-08-18-17-35-04-sentineltraining-microsoft-azu.png

    0 comments No comments

  2. David Broggy 5,671 Reputation points MVP
    2022-08-19T02:03:55.593+00:00

    Are you sure that's supported on windows?
    When it comes to syslog I always use rsyslog with linux, along with the agent of course.

    0 comments No comments

  3. LeifDavisson 41 Reputation points
    2022-08-19T04:33:40.56+00:00

    Probably not. I spun up a Linux VM and installed OMS Agent.

    This is really confusing, there is a windows data gateway, windows agent, linux agent but not a gateway( but it intakes syslog ), a docker instance but only for cloud app defender.

    CHECKING INSTALLATION...
    Checking if running a supported OS version...
    ERROR(S) FOUND.

    ================================================================================

    ================================================================================

    ALL ERRORS/WARNINGS ENCOUNTERED:
    ERROR FOUND: This version of Ubuntu (22.04) is not supported. Please download 14.04, 16.04, 18.04 or 20.04. To see all supported Operating Systems, please go to:

    https://learn.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#supported-linux-operating-systems

    0 comments No comments

  4. LeifDavisson 41 Reputation points
    2022-08-20T04:51:20.567+00:00

    I want to thank you guys for your patience while I learn this product. Seems like there are a lot of exception and multiple ways of achieving the same goal and some transitions to new product lines. @George Moise @David Broggy

    I rebuilt the linux box with 20.04 ubuntu and OMS connected right away. I think I got confused at that the OMS Agent has to be a SYSLOG Server to collect logs from the endpoint for some reason I though that OMS would make those changes for me. Confirmed OMS agent Syslog ingesting and ARM IOT device Ingesting into Log Analytics Workspace.

    BTW Sentinel caught me download a Ubuntu ISO over Torrent. HEHE.

    0 comments No comments