topic Log/syslog forwarding to Microsoft Azure/Sentinel in General Topics https://live.paloaltonetworks.com/t5/general-topics/log-syslog-forwarding-to-microsoft-azure-sentinel/m-p/485524#M104534 <P>Entire company uses log analytics and Sentinel for logging.&nbsp;</P><P>&nbsp;</P><P>Found this excellent article&nbsp; below on how to accomplish this task.</P><P><A title="Azure Sentinel: Log Forwarder Configuration" href="https://davicruz.com/en-US/azure-sentinel/2021/03/rsyslog-sentinel-log-forwarder" target="_self">https://davicruz.com/en-US/azure-sentinel/2021/03/rsyslog-sentinel-log-forwarder</A>&nbsp;</P><P>&nbsp;</P><P>Has anyone done this before?</P><P>&nbsp;</P><P>I have stand-alone PA's that are now dumping sylog to Splunk.</P><P>Splunk is being replaced with log analytics.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P> Fri, 06 May 2022 22:08:54 GMT dmoore-acc360 2022-05-06T22:08:54Z Log/syslog forwarding to Microsoft Azure/Sentinel https://live.paloaltonetworks.com/t5/general-topics/log-syslog-forwarding-to-microsoft-azure-sentinel/m-p/485524#M104534 <P>Entire company uses log analytics and Sentinel for logging.&nbsp;</P><P>&nbsp;</P><P>Found this excellent article&nbsp; below on how to accomplish this task.</P><P><A title="Azure Sentinel: Log Forwarder Configuration" href="https://davicruz.com/en-US/azure-sentinel/2021/03/rsyslog-sentinel-log-forwarder" target="_self">https://davicruz.com/en-US/azure-sentinel/2021/03/rsyslog-sentinel-log-forwarder</A>&nbsp;</P><P>&nbsp;</P><P>Has anyone done this before?</P><P>&nbsp;</P><P>I have stand-alone PA's that are now dumping sylog to Splunk.</P><P>Splunk is being replaced with log analytics.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P> Fri, 06 May 2022 22:08:54 GMT https://live.paloaltonetworks.com/t5/general-topics/log-syslog-forwarding-to-microsoft-azure-sentinel/m-p/485524#M104534 dmoore-acc360 2022-05-06T22:08:54Z Re: Log/syslog forwarding to Microsoft Azure/Sentinel https://live.paloaltonetworks.com/t5/general-topics/log-syslog-forwarding-to-microsoft-azure-sentinel/m-p/485946#M104561 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/218383">@dmoore-acc360</a> ,</P> <P>I would assume that you have figured out how to setup the collector - Enabling the connector in AZ Sentinel should give you all the steps of installing and preparing the syslog listener.</P> <P>&nbsp;</P> <P>From firewall prespective you need first to create Syslog profile with customized formatting. Because Sentinel expect CEF, you need to tell the firewall to use CEF for each log type (that you want to forward to Sentinel).</P> <P>&nbsp;</P> <P>On the following link you will find documentation how to define CEF format for each log type based on PanOS version. - <A href="https://docs.paloaltonetworks.com/resources/cef" target="_blank">https://docs.paloaltonetworks.com/resources/cef</A></P> <P>I have notice some issues with 9.1, which I have described here - <A href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/475444#M2620" target="_blank">https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/475444#M2620</A></P> Mon, 09 May 2022 21:43:30 GMT https://live.paloaltonetworks.com/t5/general-topics/log-syslog-forwarding-to-microsoft-azure-sentinel/m-p/485946#M104561 aleksandar.astardzhiev 2022-05-09T21:43:30Z