Alsid Syslog/Sentinel proxy
This template deploys an Alsid Syslog/Sentinel proxy. The solution consists of a publicly addressable Ubuntu virtual machine with a Syslog server and a Microsoft Azure Sentinel agent ready to receive logs from Alsid for AD.
Usage instructions
Connect to the server
You can connect to the server through SSH on port 22.
Configure Alsid Syslog alerting
On your Alsid for AD portal, go to System, Configuration and then Syslog. From there you can create a new Syslog alert toward your Syslog server.
The Server is configured by default to listen on port 514 for UDP and 1514 for TCP (without TLS).
Configure Sentinel log collection
The server gathers the log but you still need to configure log collection for your workspace on the azure portal because the Azure CLI doesn't support log collection yet. To do this
Configure the agent to collect the logs.
Under workspace advanced settings Configuration, select Data and then Custom Logs
Select Apply below configuration to my machines and click Add.
Upload a sample AFAD Syslog file from the virtual machine running the Syslog server and click Next. Such a file can be found here
Set the record delimiter to New Line if not already the case and click Next.
Select Linux and enter the file path (by default it is /var/log/AlsidForAD.log) to the Syslog file, click + then Next.
Set the Name to AlsidForADLog_CL then click Done (Azure automatically adds _CL at the end of the name, there must be only one, make sure the name is not AlsidForADLog_CL_CL).
All of theses steps are showcased here as an example
Tags: alsid, syslog, sentinel, proxy, Microsoft.Compute/virtualMachines, extensions, CustomScript, Microsoft.Network/publicIPAddresses, Microsoft.Network/virtualNetworks, Microsoft.Network/networkInterfaces