v-sudkharat
commented
1 month ago Hi @cyberpope, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
Open cyberpope opened 1 month ago
v-sudkharat
commented
1 month ago Hi @cyberpope, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
cyberpope
commented
3 weeks ago Hi @v-sudkharat we have confirmed the configuration for syslog data directly from FMC and it behaves the as when forwarded via eNcore eStreamer.
v-rusraut
commented
1 week ago Hi @cyberpope, Could you please help us with the details of the DCR that you're using for this, thanks!
cyberpope
commented
1 week ago Hello @v-rusraut,
It's a simple DCR created via Sentinel's Data Connectors page.
All the data goes via syslog forwarder and it's collected from it.
v-rusraut
commented
1 week ago Hi @cyberpope, Please check what is the value of stream in data collection rule. Please refer below steps
On marketplace search data collection rule
Search your Data collection Rule
Click on json view
Check the value of stream
cyberpope
commented
1 week ago @v-rusraut Ah my apologies
The data stream is Microsoft-CIscoAsa
v-rusraut
commented
1 week ago Hi @cyberpope, Please provide few sample logs to below email id, we will try to reproduce this issue. Email ID : v-rusraut@microsoft.com
Thanks
v-rusraut
commented
5 days ago Hi @cyberpope, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 11-09-2024 date, we will be closing this issue. Thanks!
cyberpope
commented
3 days ago Hello @v-rusraut sorry I was on annual leave, I'll provide you with the logs today.
cyberpope
commented
3 days ago Hello @v-rusraut, Apologies I won't be able to submit the data today as there is a priority matter in my workplace to take care off, please give me a couple more days to work on it.
Oraclese-cyber
commented
13 hours ago Im having similar issues.
@cyberpope - It appears you are trying to bring in CEF-formatted estreamer logs. I believe the Cisco ASA/FTD via AMA data connector is used to bring in SYSLOG messages from these devices (logs staring with "%ASA-" or "%FTD-"), and format them for ingestion into the CommonSecurityLog table. This is similar to how ingestion worked with the Legacy agent, except ASA/FTD was handled with a string eval in a configuration file for the OMS agent.
https://learn.microsoft.com/en-us/azure/sentinel/unified-connector-cef-device
The above link identifies that FirePower (FTD) devices should be configured using the CEF via AMA data connector. This has the following data stream defined:
"streams": [ "Microsoft-CommonSecurityLog" ],
Now, obviously your DCR (or another generic Syslog DCR?) is still picking up these Firepower estreamer logs. This is the issue I'm having - I'm getting these Firepower estreamer logs in both my Syslog and CommonSecurityLog tables. This is due to me having 2 DCRs applied to the EnCore server - one for Syslog via AMA to capture the actual system logs from the EnCore server, and one for CEF via AMA data connector to get the estreamer logs. The issue is I have need for the "user" facility logs from the Syslog messages (primarily for tracking user-caused system changes), but the Firepower estreamer logs also come in with the "user" facility. I can't just drop the facility from my Syslog via AMA DCR, so I get logs in both tables.
I'd also like to change the facility of the logs coming from estreamer/encore (preferably to local7). Can you explain how you were able to do that on EnCore? Did you simply modify the estreamer.conf (and if so, how), or was this configured elsewhere?
We are going to be putting in a support ticket with Cisco for this as well, but thought I would share my experience. If I make any progress, I'll try to come back here to share.
Describe the bug Syslog forwarder is configured to receive syslog messages from multiple devices and forward to Sentinel via AMA using syslog-ng. DCR is configured for Cisco ASA/FTD via AMA connector to parse all messages from local2 facility. FTDs logs are being parsed by eNcore eStreamer and forwarded to syslog server. The logs are forwarded on the correct facility via eNcore eStreamer adapter configuration change. However when parsed via syslog connector logs available in syslog table, hence the issue has to be ASA/FTD via AMA connector.
To Reproduce Configure eNcore eSteamer to forward logs on local2 facility Configure DCR to accepts ASA/FTD cef logs from syslog server on local2 facility.
Expected behavior FTD logs parsed and available in CommonSecurityLog table
Screenshots TCP dump
Syslog table with FTD message when parsed via syslog connector.
Desktop (please complete the following information):
Smartphone (please complete the following information): N/A
Additional context Logs are parsed and in the right table if forwarded via eNcore eSteamer via legacy MMA.