Syslog with Azure Sentinel
The theory
What is syslog
Simply put, Syslog is a message logging standard that allows wide variety of applications and devices to send data about status, events, diagnostics, and more.
Syslog messages have a built-in severity level, rating any event from 0 (Emergency) up to 7 (Debugging) so setting up proper rules for logging is necessary to maintain clarity of logs.
Downloading and setting up Syslog on Virtual Machine (Linux)
Most of the setup is already prepared after downloading Syslog. The main thing to check is that port is either set to 514 or 601 in /etc/rsysylog.conf file. You can also set some rules by uncommenting specific lines in /etc/rsyslog.d/50-default.conf to store last 24 hours of logs locally (just in case that connection with Azure Sentinel is lost). After all of this you should run command `sudo systemctl start rsyslog` to start Syslog.
Setting up Syslog on Azure Sentinel
There is prepared integration for Azure Sentinel with Syslog. After installing this integration on our server it creates extra file (95-omsagent.conf) that stores all the rules You set up in Sentinel configuration workbook.
Example of configuration workbook:
Example of 95-omsagent.conf (with previous workbook configuration):
If there occur any problem in this step, there is a lot of documentation created by Microsoft itself (Microsoft Sentinel Documentation).
Azure Sentinel Logs
After all previous steps, it’s time to check if Sentinel actually works with our Syslog. Running command `logger “…”` locally should leave some kind of trace (in /var/log/syslog and after couple of seconds in Sentinel).
If the trace is left only locally make sure that 95-omsagent.conf is set properly
The Practice
First You should install syslog (sometimes it’s already on the system by default)
sudo apt install rsyslog
rsyslog is already the newest version (8.2001.0-1ubuntu1.3)
rsyslog set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded..
Now, You have to enable ports to make Syslog work properly. Use command:
sudo nano /etc/rsyslog.conf
You should uncomment these lines:
module(load="imudp")
input(type="imudp" port="514")
and
module(load="imtcp")
input(type="imtcp" port="514")
After that, it's time to set up local logging. You can choose, which logs will be stored locally in specific files (/var/log/syslog is a default file and stores all of the logs from these files).
cd /etc/rsyslog.d
sudo nano 50-default.conf
Now You run command to start Syslog
sudo systemctl start rsyslog
Good practice is to check if service started properly by using command
sudo systemctl status rsyslog
If syslog is working properly, go to Azure Sentinel and create a resource. Select "Data connectors" in "Configuration" category. Then type Syslog in searchbar and select option that occurs. Go to "Open connector page option" and at the bottom of the page select "Install agent on Azure Linux Virtual Machine".
After your machine is connected go to /etc/rsyslog.d and use command
ls –la
And look for file 95-omsagent.conf
If it exists, connection went properly, otherwise wait a couple of minutes, and if problem still occurs look to Microsoft Sentinel Documentation.
Then in Syslog connector page select option from bottom of site “Open your workspace agents configuration”
There you Can select which logs are going to be sent to Sentinel. Just for the test you can set options like that:
Then click “Apply” button and wait up to some minutes to let Sentinel update 95-omsagent.conf file. You can check if it’s already updated by typing
cat 95-omsagent.conf
And getting response which looks like this:
Now it’s time to check if everything is properly logging. Type this command on Your server:
logger “Hello Sentinel”
Then You should go to /var/log and type:
cat user.log (if You allowed this option in 50-default.conf)
or
tail –5 syslog
If the message occurs go to Sentinel main page and select “Logs” options from “General” category and run this basic query:
If You can see message in Sentinel, then it’s time to have fun logging and analyzing Your data. Enjoy!