Built-in connectors enable connection to the broader security ecosystem for non-Microsoft products. For example, use Syslog, Common Event Format (CEF), or REST APIs to connect your data sources with Microsoft Sentinel.
Microsoft Sentinel solutions provide packaged security content, including data connectors, workbooks, analytics rules, playbooks, and more. When you deploy a solution with a data connector, you get the data connector together with related content in the same deployment.
Azure Arc - Add On-Prem Machine
Download or Copy / Paste the code into Linux or Windows machine to run.
It will download the installation package, then install the downloaded hybrid agent, eventually run the connect command to connect to ARC portal.
try {
$env:SUBSCRIPTION_ID = "d9fzzzz-zzz-zz-zzzz-zzzzzb9";
$env:RESOURCE_GROUP = "RG-SERVERS";
$env:TENANT_ID = "adfd-dfdfd-dfdfd-dfdfd-dfdfdf";
$env:LOCATION = "eastus";
$env:AUTH_TYPE = "token";
$env:CORRELATION_ID = "yyy980-dfd-ad--fdsafd-fd-fdf-dfdfd";
$env:CLOUD = "AzureCloud";
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072;
# Download the installation package
Invoke-WebRequest -UseBasicParsing -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$env:TEMP\install_windows_azcmagent.ps1";
# Install the hybrid agent
& "$env:TEMP\install_windows_azcmagent.ps1";
if ($LASTEXITCODE -ne 0) { exit 1; }
# Run connect command
& "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect --resource-group "$env:RESOURCE_GROUP" --tenant-id "$env:TENANT_ID" --location "$env:LOCATION" --subscription-id "$env:SUBSCRIPTION_ID" --cloud "$env:CLOUD" --correlation-id "$env:CORRELATION_ID";
}
catch {
$logBody = @{subscriptionId="$env:SUBSCRIPTION_ID";resourceGroup="$env:RESOURCE_GROUP";tenantId="$env:TENANT_ID";location="$env:LOCATION";correlationId="$env:CORRELATION_ID";authType="$env:AUTH_TYPE";operation="onboarding";messageType=$_.FullyQualifiedErrorId;message="$_";};
Invoke-WebRequest -UseBasicParsing -Uri "https://gbl.his.arc.azure.com/log" -Method "PUT" -Body ($logBody | ConvertTo-Json) | out-null;
Write-Host -ForegroundColor red $_.Exception;
}
Install Extenstion (AMA)
Edit Windows Security Events via AMA connector, add Data Collection Rule for your resources:
Linux Syslog
Configure / Deploy Linux Syslog Forwarder
To ingest Syslog and CEF logs into Microsoft Sentinel, particularly from devices and appliances onto which you can't install the Log Analytics agent directly, you'll need to designate and configure a Linux machine that will collect the logs from your devices and forward them to your Microsoft Sentinel workspace. This machine can be a physical or virtual machine in your on-premises environment, an Azure VM, or a VM in another cloud.
This machine has two components that take part in this process:
- A syslog daemon, either rsyslog or syslog-ng, that collects the logs.
- The Log Analytics Agent (also known as the OMS Agent), that forwards the logs to Microsoft Sentinel.
Using the link provided below, you will run a script on the designated machine that performs the following tasks:
Installs the Log Analytics agent for Linux (also known as the OMS agent) and configures it for the following purposes:
- listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226
- sending the messages securely over TLS to your Microsoft Sentinel workspace, where they are parsed and enriched
Configures the built-in Linux Syslog daemon (rsyslog.d/syslog-ng) for the following purposes:
- listening for Syslog messages from your security solutions on TCP port 514
- forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226
Pre-requisites
Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.
Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.
Install the product solution from the Content Hub in Microsoft Sentinel. If the product isn't listed, install the solution for Common Event Format.
Note
- A single log forwarder machine with the above hardware configuration and using the rsyslog daemon has a supported capacity of up to 8500 events per second (EPS) collected.
- Open Log Analytics Workspace.
- Select the workspace you've just connected to Microsoft Sentinel.
- Select Settings - Agents
Change Ubuntu Ip from DHCP to Static
nmcli conn modify "System eth0" ipv4.ignore-auto-dns yes nmcli conn modify "System eth0" ipv4.dns "192.168.24.7 8.8.8.8" systemctl restart NetworkManager |
Add a super user in:
Meraki and Citrix vCenter
root@NSTEST-syslog:~# wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w fe23134c-431b-4d69-8b3e-138943bb757f -s l6Ls25g1rIskJXIeTyoMi2LfMhlm3BeoSUljmHzb86QbrBOCBYfVwEysnccbDORA0Nq3eKXEK5fLgeqQ5EVaKg== -d opinsights.azure.com
--2024-03-25 15:30:17-- https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3848 (3.8K) [text/plain]
Saving to: ‘onboard_agent.sh’
onboard_agent.sh 100%[===================>] 3.76K --.-KB/s in 0s
2024-03-25 15:30:17 (95.9 MB/s) - ‘onboard_agent.sh’ saved [3848/3848]
--2024-03-25 15:30:17-- https://github.com/microsoft/OMS-Agent-for-Linux/releases/download/OMSAgent_v1.19.0-0/omsagent-1.19.0-0.universal.x64.sh
Resolving github.com (github.com)... 140.82.114.3
Connecting to github.com (github.com)|140.82.114.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/43709699/86dbf012-12fc-49da-b79e-3301ce03d004?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240325%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240325T153018Z&X-Amz-Expires=300&X-Amz-Signature=2a97a2aa8938b47de1e179bd20a74fe323ff6183397ca581374aa863182ebfcf&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=43709699&response-content-disposition=attachment%3B%20filename%3Domsagent-1.19.0-0.universal.x64.sh&response-content-type=application%2Foctet-stream [following]
--2024-03-25 15:30:18-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/43709699/86dbf012-12fc-49da-b79e-3301ce03d004?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240325%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240325T153018Z&X-Amz-Expires=300&X-Amz-Signature=2a97a2aa8938b47de1e179bd20a74fe323ff6183397ca581374aa863182ebfcf&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=43709699&response-content-disposition=attachment%3B%20filename%3Domsagent-1.19.0-0.universal.x64.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250004251 (238M) [application/octet-stream]
Saving to: ‘omsagent-1.19.0-0.universal.x64.sh’
omsagent-1.19.0-0.u 100%[===================>] 238.42M 104MB/s in 2.3s
2024-03-25 15:30:20 (104 MB/s) - ‘omsagent-1.19.0-0.universal.x64.sh’ saved [250004251/250004251]
Extracting OMS agent install bundle...
----- Upgrading package omi to version (omi-1.8.1-0.ulinux.s.x64) -----
Detected OpenSSL version 3.0.2 set as system default.
Install/Upgrade will use package(s) from OMS bundle installer's 300 openssl directtory.
Selecting previously unselected package omi.
(Reading database ... 74617 files and directories currently installed.)
Preparing to unpack .../omi-1.8.1-0.ulinux.s.x64.deb ...
Creating omiusers group ...
Creating omi group ...
Creating omi service account ...
Unpacking omi (1.8.1.0) ...
Setting up omi (1.8.1.0) ...
.......+.....+...+.+...+......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+...+.........+...+.+...........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+....+......+...+..+......+.......+........+.......+..+.........+............+.........+.........+....+...+...............+...+..............+......+....+...+..+......+.+...............+........+.+......+...+..+......+....+...+..+......+..........+.....+.......+...............+.....+.+.....+.+.....+...................+.....+......+.............+...+...+............+..+...+.......+..+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+..+.............+.....+...+.+..................+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+.....+......................+..+.+.........+.....+...+...+.+...+..+....+............+...+..+....+...+..+...+...+...+.+......+..+.+.........+..+....+............+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
2024-03-25 15:30:22 : Crontab not configured to update omi keytab automatically. Skip unconfigure
ktutil not found
Checking if cron is installed...
Checking if cron/crond service is started...
Set up a cron job to OMI logrotate every 15 minutes
Configuring OMI service ...
Created symlink /etc/systemd/system/multi-user.target.wants/omid.service → /lib/systemd/system/omid.service.
Trying to start omi with systemctl
omi is started.
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
----- Upgrading package scx to version (scx-1.8.1-0.universal.s.x64) -----
Detected OpenSSL version 3.0.2 set as system default.
Install/Upgrade will use package(s) from OMS bundle installer's 300 openssl directtory.
Selecting previously unselected package scx.
(Reading database ... 74680 files and directories currently installed.)
Preparing to unpack .../scx-1.8.1-0.universal.s.x64.deb ...
Unpacking scx (1.8.1.0) ...
Setting up scx (1.8.1.0) ...
Generating certificate with hostname="NSTEST-syslog"
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
----- Upgrading package omsagent to version (omsagent-1.19.0-0.universal.x64) -----
Detected OpenSSL version 3.0.2 set as system default.
Install/Upgrade will use package(s) from OMS bundle installer's 300 openssl directtory.
Selecting previously unselected package omsagent.
(Reading database ... 74725 files and directories currently installed.)
Preparing to unpack .../omsagent-1.19.0-0.universal.x64.deb ...
Creating omsagent group ...
Creating omsagent service account ...
Creating nxautomation group ...
Creating nxautomation service account ...
Unpacking omsagent (1.19.0.0) ...
Setting up omsagent (1.19.0.0) ...
-e info Reading onboarding params from: /etc/omsagent-onboard.conf
Workspace 000000-1111-222222222-3333333333 already onboarded and agent is running.
Symbolic links have not been created; re-onboarding to create them
info Generating certificate ...
-e info Agent GUID is 8a69e647-7047-434f-b3ad-79707c5945c4
-e info Onboarding success
Configure syslog...
Configuring rsyslog for OMS logging
Restarting service: rsyslog
Configure heartbeat monitoring agent...
Configure log rotate for workspace 000000-1111-222222222-3333333333...
INFO: Configuring OMS agent service 000000-1111-222222222-3333333333 ...
-e error MetaConfig generation script not available at /opt/microsoft/omsconfig/Scripts/python3/OMS_MetaConfigHelper.py. For more details check logs in /var/opt/microsoft/omsconfig/omsconfig.log
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
Configure log rotate for workspace 000000-1111-222222222-3333333333...
Applying Syslog conf hotfix...
Removing omsconfig package as part of upgrade
----- Removing package: omsconfig -----
dpkg: warning: ignoring request to remove omsconfig which isn't installed
----- Upgrading package omsconfig to version (omsconfig-1.3.0-0.x64) -----
Detected OpenSSL version 3.0.2 set as system default.
Install/Upgrade will use package(s) from OMS bundle installer's 300 openssl directtory.
Selecting previously unselected package omsconfig.
(Reading database ... 84211 files and directories currently installed.)
Preparing to unpack 300/omsconfig-1.3.0-0.x64.deb ...
Using python3
Cleanning up existing dsc_hosts...
chmod: cannot access '/opt/dsc': No such file or directory
Deployment operation type : install
Cleanning directory /opt/dsc...
Cleaned up existing dsc_hosts...
Unpacking omsconfig (1.3.0.0) ...
Setting up omsconfig (1.3.0.0) ...
Using python3
Running python3, python version is , python3
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nx_1.5.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxGroupResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxGroupResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxGroupResource/libMSFT_nxGroupResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxGroupResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxAvailableUpdatesResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxAvailableUpdatesResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxAvailableUpdatesResource/libMSFT_nxAvailableUpdatesResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxAvailableUpdatesResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxPackageResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxPackageResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxPackageResource/libMSFT_nxPackageResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxPackageResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxUserResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxUserResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxUserResource/libMSFT_nxUserResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxUserResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxServiceResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxServiceResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxServiceResource/libMSFT_nxServiceResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxServiceResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSPerfCounter_2.3.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSPerfCounterResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSPerfCounterResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSPerfCounterResource/libMSFT_nxOMSPerfCounterResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSPerfCounterResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSSyslog_2.5.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSSyslogResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSSyslogResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSSyslogResource/libMSFT_nxOMSSyslogResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSSyslogResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSSudoCustomLog_2.8.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSSudoCustomLogResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSSudoCustomLogResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSSudoCustomLogResource/libMSFT_nxOMSSudoCustomLogResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSSudoCustomLogResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSKeyMgmt_1.0.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSKeyMgmtResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSKeyMgmtResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSKeyMgmtResource/libMSFT_nxOMSKeyMgmtResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSKeyMgmtResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxFileInventory_1.4.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxFileInventoryResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxFileInventoryResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxFileInventoryResource/libMSFT_nxFileInventoryResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxFileInventoryResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSGenerateInventoryMof_1.5.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSGenerateInventoryMofResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSGenerateInventoryMofResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSGenerateInventoryMofResource/libMSFT_nxOMSGenerateInventoryMofResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSGenerateInventoryMofResource.reg to 0o644
The result code is 0
gpg: keybox '/etc/opt/omi/conf/omsconfig/keymgmtring.gpg' created
gpg: directory '/etc/opt/omi/conf/omsconfig/.gnupg' created
gpg: /etc/opt/omi/conf/omsconfig/.gnupg/trustdb.gpg: trustdb created
gpg: key C4EC49E544BC4178: public key "Microsoft (Release Signing) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: keybox '/etc/opt/omi/conf/omsconfig/keyring.gpg' created
gpg: key 20541A3DDE321294: public key "Microsoft (Release Signing) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
Reset ownership of files defined in /etc/sudoers.d/omsagent
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
Using python3
Running python3
VERBOSE from OMS_MetaConfigHelper.py: OMS config path being read: /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/conf/omsadmin.conf
VERBOSE from OMS_MetaConfigHelper.py: Output from3: /opt/microsoft/omsconfig/Scripts/python3/SetDscLocalConfigurationManager.py -configurationmof /etc/opt/omi/conf/omsconfig/generated_meta_config.mof: Opened the dsc host lock file at the path '/opt/dsc/dsc_host_lock'
[2024/03/25 15:30:28] [11122] [INFO] [0] [/opt/microsoft/omsconfig/Scripts/python3/SetDscLocalConfigurationManager.py:0] dsc_host lock file is acquired by : SendMetaConfigurationApply
Operation SendMetaConfigurationApply completed successfully.
Operation was successful.
Operation SendMetaConfigurationApply completed successfully.
Operation was successful.
VERBOSE from OMS_MetaConfigHelper.py: Successfully configured omsconfig.
Applying DSC nxOMSSyslog hotfix...
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
----- Updating bundled provider packages -----
Checking if Apache is installed ...
Apache not found, will not install
Checking if Docker is installed...
Docker not found. Docker agent will not be installed.
Checking if MySQL is installed ...
MySQL not found, will not install
Extracting...
Updating auoms ...
----- Updating package: auoms (auoms-2.5.2-52.universal.x64) -----
Selecting previously unselected package auoms.
(Reading database ... 84316 files and directories currently installed.)
Preparing to unpack auoms-2.5.2-52.universal.x64.deb ...
Unpacking auoms (2.5.2.52) ...
Setting up auoms (2.5.2.52) ...
OMS Troubleshooter is installed.
You can run the Troubleshooter with the following command:
$ sudo /opt/microsoft/omsagent/bin/troubleshooter
OMS agent shell bundle exiting with status code 0
-e The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. If you use the Log Analytics agent to ingest data to Azure Monitor, make sure to migrate to the new Azure Monitor agent (https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration) prior to that date.
Other commands:
- apt install python2
- sudo su omsagent -c 'python2 /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'
root@NSTEST-syslog:~# cat /etc/rsyslog.d/95-omsagent.conf
# OMS Syslog collection for workspace 000000-1111-222222222-3333333333
root@NSTEST-syslog:~# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 240 NSTEST-syslog.communit:ssh ECOR-ITLT-17.comm:64202 ESTABLISHED
tcp 0 0 NSTEST-syslog.commun:56794 40.71.12.254:https TIME_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 646443 /run/user/1000/systemd/notify
unix 3 [ ] DGRAM CONNECTED 19355 /run/systemd/notify
root@NSTEST-syslog:~# sudo netstat -tulnp | grep ruby
udp 0 0 127.0.0.1:25224 0.0.0.0:* 10643/ruby
root@NSTEST-syslog:~# wget -v https://aka.ms/sentinel-ciscomerakioms-conf -O meraki.conf
--2024-03-25 15:35:24-- https://aka.ms/sentinel-ciscomerakioms-conf
Resolving aka.ms (aka.ms)... 23.46.202.180
Connecting to aka.ms (aka.ms)|23.46.202.180|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CiscoMeraki/Data%20Connectors/la_agent_configs/meraki.conf [following]
--2024-03-25 15:35:25-- https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CiscoMeraki/Data%20Connectors/la_agent_configs/meraki.conf
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 688 [text/plain]
Saving to: ‘meraki.conf’
meraki.conf 100%[========================================================================================================================================>] 688 --.-KB/s in 0s
2024-03-25 15:35:25 (93.0 MB/s) - ‘meraki.conf’ saved [688/688]
root@NSTEST-syslog:~# ls
meraki.conf omsagent-1.19.0-0.universal.x64.sh onboard_agent.sh snap
root@NSTEST-syslog:~# vi meraki.conf
root@NSTEST-syslog:~# cat meraki.conf
<source>
type tcp
format none
port 22033
bind 0.0.0.0
delimiter "\n"
tag oms.api.meraki
</source>
<match oms.api.meraki>
type out_oms_api
log_level info
num_threads 5
omsadmin_conf_path /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/conf/omsadmin.conf
cert_path /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/certs/oms.crt
key_path /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/certs/oms.key
buffer_chunk_limit 10m
buffer_type file
buffer_path /var/opt/microsoft/omsagent/000000-1111-222222222-3333333333/state/out_oms_api_meraki*.buffer
buffer_queue_limit 10
buffer_queue_full_action drop_oldest_chunk
flush_interval 30s
retry_limit 10
retry_wait 30s
max_retry_wait 9m
</match>
root@NSTEST-syslog:~# sudo wget -v https://aka.ms/sentinel-vcenteroms-conf -O vcenter.conf
--2024-03-25 15:37:29-- https://aka.ms/sentinel-vcenteroms-conf
Resolving aka.ms (aka.ms)... 23.197.182.37
Connecting to aka.ms (aka.ms)|23.197.182.37|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VMware%20vCenter/Data%20Connectors/la_agent_configs/vcenter.conf [following]
--2024-03-25 15:37:29-- https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VMware%20vCenter/Data%20Connectors/la_agent_configs/vcenter.conf
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 690 [text/plain]
Saving to: ‘vcenter.conf’
vcenter.conf 100%[========================================================================================================================================>] 690 --.-KB/s in 0s
2024-03-25 15:37:30 (82.8 MB/s) - ‘vcenter.conf’ saved [690/690]
root@NSTEST-syslog:~# ls
meraki.conf omsagent-1.19.0-0.universal.x64.sh onboard_agent.sh snap vcenter.conf
root@NSTEST-syslog:~# vi vcenter.conf
root@NSTEST-syslog:~# cat vcenter.conf
<source>
type tcp
format none
port 23033
bind 0.0.0.0
delimiter "\n"
tag oms.api.vcenter
</source>
<match oms.api.vcenter>
type out_oms_api
log_level info
num_threads 5
omsadmin_conf_path /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/conf/omsadmin.conf
cert_path /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/certs/oms.crt
key_path /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/certs/oms.key
buffer_chunk_limit 10m
buffer_type file
buffer_path /var/opt/microsoft/omsagent/000000-1111-222222222-3333333333/state/out_oms_api_vcenter*.buffer
buffer_queue_limit 10
buffer_queue_full_action drop_oldest_chunk
flush_interval 30s
retry_limit 10
retry_wait 30s
max_retry_wait 9m
</match>
root@NSTEST-syslog:~# sudo cp *.conf /etc/opt/microsoft/omsagent/000000-1111-222222222-3333333333/conf/omsagent.d/
root@NSTEST-syslog:~# sudo /opt/microsoft/omsagent/bin/service_control restart
3 Change rsyslog conf file
root@NSTEST-syslog:~# sudo netstat -tulnp | grep ruby
tcp 0 0 0.0.0.0:22033 0.0.0.0:* LISTEN 12080/ruby
tcp 0 0 0.0.0.0:23033 0.0.0.0:* LISTEN 12080/ruby
udp 0 0 127.0.0.1:25224 0.0.0.0:* 12080/ruby
root@NSTEST-syslog:~# vi /etc/rsyslog.conf
root@NSTEST-syslog:~# vi /etc/rsyslog.conf
root@NSTEST-syslog:~# cat /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
input(type="imudp" port="1514" name="udp_meraki")
input(type="imudp" port="2514" name="udp_vcenter")
input(type="imtcp" port="1514" name="tcp_meraki")
input(type="imtcp" port="2514" name="tcp_vcenter")
$template meraki,"%timestamp% %hostname% %msg%"
$template vcenter,"%timestamp% %hostname% %msg%"
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
root@NSTEST-syslog:~# cd /etc/rsyslog.d/
root@NSTEST-syslog:/etc/rsyslog.d# ls
20-ufw.conf 21-cloudinit.conf 50-default.conf 95-omsagent.conf
root@NSTEST-syslog:/etc/rsyslog.d# vi 10-vcenter.conf
root@NSTEST-syslog:/etc/rsyslog.d# cat 10-vcenter.conf
#vCenter Logs
if ($inputname == 'udp_vcenter' or $inputname == 'tcp_vcenter') then @@127.0.0.1:23033;vcenter
4 Restart services and verify ports
root@NSTEST-syslog:/etc/rsyslog.d# systemctl restart rsyslog
root@NSTEST-syslog:/etc/rsyslog.d# systemctl status resyslog
Unit resyslog.service could not be found.
root@NSTEST-syslog:/etc/rsyslog.d# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2024-03-25 15:50:40 UTC; 12s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 12586 (rsyslogd)
Tasks: 12 (limit: 9388)
Memory: 1.8M
CPU: 4ms
CGroup: /system.slice/rsyslog.service
└─12586 /usr/sbin/rsyslogd -n -iNONE
Mar 25 15:50:40 NSTEST-syslog systemd[1]: Starting System Logging Service...
Mar 25 15:50:40 NSTEST-syslog rsyslogd[12586]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2112.0]
Mar 25 15:50:40 NSTEST-syslog systemd[1]: Started System Logging Service.
Mar 25 15:50:40 NSTEST-syslog rsyslogd[12586]: rsyslogd's groupid changed to 113
Mar 25 15:50:40 NSTEST-syslog rsyslogd[12586]: rsyslogd's userid changed to 107
Mar 25 15:50:40 NSTEST-syslog rsyslogd[12586]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="12586" x-info="https://www.rsyslog.com"] start
root@NSTEST-syslog:/etc/rsyslog.d#
root@NSTEST-syslog:/etc/rsyslog.d#
root@NSTEST-syslog:/etc/rsyslog.d# netstat -tulnp | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 12586/rsyslogd
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 12586/rsyslogd
tcp 0 0 0.0.0.0:2514 0.0.0.0:* LISTEN 12586/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 12586/rsyslogd
tcp6 0 0 :::1514 :::* LISTEN 12586/rsyslogd
tcp6 0 0 :::2514 :::* LISTEN 12586/rsyslogd
udp 0 0 0.0.0.0:1514 0.0.0.0:* 12586/rsyslogd
udp 0 0 0.0.0.0:2514 0.0.0.0:* 12586/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 12586/rsyslogd
udp6 0 0 :::1514 :::* 12586/rsyslogd
udp6 0 0 :::2514 :::* 12586/rsyslogd
udp6 0 0 :::514 :::* 12586/rsyslogd
root@NSTEST-syslog:/etc/rsyslog.d#
root@NSTEST-syslog:~#
On Meraki:
For meraki device, you also can collect Wireless AP events as well. Current screenshot only shows Switch event log.
Install SOC Handbook Solution
Fortinet Devices (FortiGate)
Log Filtering on Syslog Forwarder Server:
# Azure Monitor Agent configuration: forward logs to azuremonitoragent
# Filter Fortinet logs
:msg, contains, "traffic:forward accept" ~
:msg, contains, "traffic:local accept" ~
:msg, contains, "traffic:forward start" ~
:msg, contains, "traffic:forward close" ~
:msg, contains, "traffic:forward server-rst" ~
:msg, contains, "traffic:forward timeout" ~
:msg, contains, "traffic:forward client-rst" ~
:msg, contains, "traffic:local close" stop
:msg, contains, "traffic:forward ip-conn" stop
:msg, contains, "traffic:local server-rst" stop
:msg, contains, "traffic:local client-rst" stop
:msg, contains, "utm:ssl ssl-anomaly" stop
:msg, contains, "traffic:local timeout" stop
:msg, contains, "event:switch-controller" stop
:msg, contains, "event:connector" stop
:msg, contains, "event:ha" stop
:msg, contains, "event:security-rating" stop
:msg, contains, "event:vpn failure" stop
:msg, contains, "event:vpn success" stop
:msg, contains, "event:system clash" stop
:msg, contains, "event:vpn negotiate_error" stop
:msg, contains, "event:vpn esp_error" stop
:msg, contains, "event:system update" stop
:msg, contains, "event:switch-controller none" stop
:msg, contains, "event:user logout" stop
:msg, contains, "utm:anomaly anomaly" stop
:msg, contains, "event:switch-controller None" stop
:msg, contains, "event:switch-controller down" stop
:msg, contains, "event:switch-controller up" stop
:msg, contains, "event:system success" stop
:msg, contains, "event:system failed" stop
:msg, contains, "event:vpn dpd_failure" stop
template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" string="<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%")
# queue.workerThreads sets the maximum worker threads, it will scale back to 0 if there is no activity
# Forwarding all events through TCP port
*.* action(type="omfwd"
template="AMA_RSYSLOG_TraditionalForwardFormat"
queue.type="LinkedList"
queue.filename="omfwd-azuremonitoragent"
queue.maxFileSize="32m"
action.resumeRetryCount="-1"
action.resumeInterval="5"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
queue.size="25000"
queue.workerThreads="100"
queue.dequeueBatchSize="2048"
queue.saveonshutdown="on"
target="127.0.0.1" Port="28330" Protocol="tcp")
Replace /etc/rsyslog.d/10-azuremonitoragent-omfwd.conf file with above content. Do not forgot to restart rsyslog service:
- systemctl start rsyslog
- systemctl status rsyslog
let Watchlist = datatable(Priority:string, Activity:string) [
'1','event:system',
'1','event:user',
'1','event:user logon',
'1','event:vpn',
'1','utm:anomaly',
'1','utm:dlp',
'1','utm:dlp dlp-docsource',
'1','utm:dns',
'1','utm:dns dns-query',
'1','utm:dns dns-response',
'1','utm:emailfilter',
'1','utm:emailfilter bannedword',
'1','utm:emailfilter spam',
'1','utm:emailfilter webmail',
'1','utm:ips',
'1','utm:ips botnet',
'1','utm:ips malicious-url',
'1','utm:ips signature',
'1','utm:ssh ssh-channel',
'1','utm:ssh ssh-command',
'1','utm:ssh ssh-hostkey',
'1','utm:waf',
'1','utm:waf waf-address-list',
'1','utm:waf waf-custom-signature',
'1','utm:waf waf-http-constraint',
'1','utm:waf waf-http-method',
'1','utm:waf waf-signature',
'1','utm:waf waf-url-access',
'2','event:cifs-auth-fail',
'2','event:endpoint',
'2','event:rest-api',
'2','event:router',
'2','event:sdwan',
'2','event:sdwan down',
'2','event:sdwan up',
'2','event:webproxy',
'2','event:wireless',
'2','traffic:forward deny',
'2','traffic:ztna',
'2','utm:app-ctrl' ,
'2','utm:app-ctrl port-violation',
'2','utm:app-ctrl protocol-violation',
'2','utm:app-ctrl signature',
'2','utm:file-filter',
'2','utm:virus',
'2','utm:virus analytics',
'2','utm:virus command-blocked',
'2','utm:virus content-disarm',
'2','utm:virus ems-threat-feed',
'2','utm:virus exempt-hash',
'2','utm:virus infected',
'2','utm:virus inline-block',
'2','utm:virus malware-list',
'2','utm:virus outbreak-prevention',
'2','utm:virus oversize',
'2','utm:voip',
'2','utm:webfilter',
'2','utm:webfilter ftgd_blk',
'2','utm:webfilter ftgd_err',
'2','utm:webfilter urlfilter',
'2','utm:webfilter webfilter_command_block',
'3','event:connector',
'3','event:fortiextender',
'3','event:ha',
'3','event:switch-controller',
'3','event:wanopt',
'3','traffic:forward',
'3','traffic:forward accept',
'3','traffic:forward client-rst',
'3','traffic:forward close',
'3','traffic:forward dns',
'3','traffic:forward ip-conn',
'3','traffic:forward server-rst',
'3','traffic:forward timeout',
'3','traffic:local',
'3','traffic:local accept',
'3','traffic:local client-rst',
'3','traffic:local close',
'3','traffic:local deny',
'3','traffic:local server-rst',
'3','traffic:local timeout',
'3','traffic:multicast',
'3','traffic:sniffer',
'3','utm:casb',
'3','utm:emailfilter email',
'3','utm:emailfilter ftgd_err',
'3','utm:forti-switch',
'3','utm:forti-switch fsw-flow',
'3','utm:gtp',
'3','utm:gtp gtp-all',
'3','utm:gtp pfcp-all',
'3','utm:icap',
'3','utm:ssl ssl-anomaly',
'3','utm:ssl ssl-exempt',
'3','utm:ssl ssl-handshake',
'3','utm:ssl ssl-negotiation',
'3','utm:ssl ssl-server-cert-info',
'3','utm:virtual-patch',
'3','utm:virus filename',
'3','utm:virus filetype-executable',
'3','utm:virus mimefragmented',
'3','utm:virus scanerror',
'3','utm:virus switchproto',
'3','utm:webfilter activexfilter',
'3','utm:webfilter antiphishing',
'3','utm:webfilter appletfilter',
'3','utm:webfilter content',
'3','utm:webfilter cookiefilter',
'3','utm:webfilter ftgd_allow',
'3','utm:webfilter ftgd_quota',
'3','utm:webfilter ftgd_quota_counting',
'3','utm:webfilter ftgd_quota_expired',
'3','utm:webfilter http_header_change',
'3','utm:webfilter scriptfilter',
'3','utm:webfilter ssl-exempt',
'3','utm:webfilter unknown-ce',
'3','utm:webfilter urlmonitor',
'3','utm:webfilter videofilter-category',
'3','utm:webfilter videofilter-channel',
'3','event:security-rating'
];
CommonSecurityLog
| where DeviceVendor contains "Forti"
| summarize TotalActivity = count() by Activity
| lookup Watchlist on Activity
- sudo tcpdump -i any dst port 28330 -Ann | grep "traffic:forward accept"
SonicWall
Log Filtering on Syslog Forwarder Server:
No comments:
Post a Comment