VM series log not detected in Azure Sentinel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VM series log not detected in Azure Sentinel

L0 Member

Here’s the problem statement:

 

1] If Syslog UDP 514 is configured in PAN FW on-prem and vm-series, There were missing logs in AZ Sentinel, Incomplete logs is experienced and there were packets fragmentation.

2] MS Sentinel support recommended to changed syslog transport UDP to TCP 514.

3] If Syslog TCP 514 is configured in PAN FW, On-prem able to send syslog in Azure Sentinel and confirmed from Azure sentinel Azure side.

     However all VM-series logs were not detected in Azure Sentinel, although FW is sending syslog traffic.

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @nurulams0 ,

From my knowledge you cannot ship syslogs directly to Azure Sentinel (LogAnalytics), you need to have "Microsoft Monitoring Agent" running on a Linux server. What this agent is actually doing is

- it running syslog server that will receive logs from Palo FWs

- it will do some parsing and ship the logs over HTTPS to Azure LogAnalytics Workspace

It is importent to note that Azure requires logs to use CEF format in order to properly parse the logs. By default PAN FWs are not using CEF, but allows you to define custom format, so you need to manually define formatting for each log type - https://docs.paloaltonetworks.com/resources/cef.html

 

- Are you using same server running MS Monitoring Agent (OMS) for both on-prem and VM firewalls?

- Have you made any changes to OMS agent syslog settings to listend on different port and protocols?

- Are you able to confirm that logs are received by the server running OMS agent? I usually prefer to run tcpdump so I can see with my own eys that packets from firewall are indeed ariving.

- If they are not ariving to the syslog server, have you checked if there is no firewall in the path? Note that Palo Alto App-ID for syslog is defining different default port for syslog over TCP, so if traffic is passing over PAN FW, which is allowing syslog app on default port it is probably blocking it

Astardzhiev_0-1644998648260.png

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!