mbell85
commented
4 years ago Should note I can see the mock data in the Azure portal when I run it, but the CEF collector isn't getting any of the syslog messages sent from my ASA over 514/udp...
Closed mbell85 closed 3 years ago
mbell85
commented
4 years ago Should note I can see the mock data in the Azure portal when I run it, but the CEF collector isn't getting any of the syslog messages sent from my ASA over 514/udp...
MarileeTurscak-MSFT
commented
4 years ago @mbell85 Thanks for your feedback! We will investigate and update as appropriate.
SaurabhSharma-MSFT
commented
4 years ago @mbell85 Please check this documentation which is specific to connecting Cisco ASA to sentinel which says that you need to "Set port to 514 or the port you set in the agent." Please let me know if you still face any issues.
mbell85
commented
4 years ago Not sure how to set the port in the OMS agent. There is no documentation.
--
Mark Bell IT Admin/Coordinator Journeys in Community Living 1130 Haley Rd. Murfreesboro, TN 37129 615-890-4389, ext. 45 (ofc) 615-295-3046 (cell) www.journeystn.orghttp://www.journeystn.org/ www.fb.com/journeysincommunityhttp://www.fb.com/journeysincommunity www.twitter.com/journeystnhttp://www.twitter.com/journeystn
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication is STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying Mark Bell of the error by reply email or calling 615-295-3046.
From: SaurabhSharma-MSFT notifications@github.com Sent: Tuesday, March 10, 2020 2:01 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
@mbell85https://github.com/mbell85 Please check this documentationhttps://docs.microsoft.com/en-us/azure/sentinel/connect-cisco which is specific to connecting Cisco ASA to sentinel which says that you need to "Set port to 514 or the port you set in the agent." Please let me know if you still face any issues.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792?email_source=notifications&email_token=AKN3WZHSWZL5U5UNV2EGGNLRG2E6ZA5CNFSM4LEN7EX2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMW67Y#issuecomment-597258111, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZELWKQEKQLTHIVFP7DRG2E6ZANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
SaurabhSharma-MSFT
commented
4 years ago @yelevin Can you please help..
mbell85
commented
4 years ago Hey guys,
I had a call with Roger Fleming from Microsoft and we got it working!
Thanks!
--
Mark Bell IT Admin/Coordinator Journeys in Community Living 1130 Haley Rd. Murfreesboro, TN 37129 615-890-4389, ext. 45 (ofc) 615-295-3046 (cell) www.journeystn.orghttp://www.journeystn.org/ www.fb.com/journeysincommunityhttp://www.fb.com/journeysincommunity www.twitter.com/journeystnhttp://www.twitter.com/journeystn
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication is STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying Mark Bell of the error by reply email or calling 615-295-3046.
From: SaurabhSharma-MSFT notifications@github.com Sent: Wednesday, March 11, 2020 12:43 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
@yelevinhttps://github.com/yelevin Can you please help..
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-597773024, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZC6ZBDJ5EDI5TNMLS3RG7ER7ANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
SaurabhSharma-MSFT
commented
4 years ago @mbell85 Great to hear that you are unblocked. Appreciate if you could help providing the solution details so that I take it up to the documentation author to get that information added to the documentation.
SaurabhSharma-MSFT
commented
4 years ago @mbell85 can you please help providing your solution.
mbell85
commented
4 years ago In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).
As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.
Now all is working great!
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: SaurabhSharma-MSFT notifications@github.com Sent: Friday, March 13, 2020 3:32:29 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
@mbell85https://github.com/mbell85 can you please help providing your solution.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
mbell85
commented
4 years ago The messages getting sent to the machine are indeed being sent over UDP 514. Thought I should add that.
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: Mark Bell notifications@github.com Sent: Friday, March 13, 2020 7:11:32 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Your activity your_activity@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).
As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.
Now all is working great!
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: SaurabhSharma-MSFT notifications@github.com Sent: Friday, March 13, 2020 3:32:29 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
@mbell85https://github.com/mbell85 can you please help providing your solution.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598979353, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZE3YULAMQRNGGLALZLRHLDTJANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
mbell85
commented
4 years ago We also made sure to turn off auto provisioning in Azure, as it was initially tying the machine to my default workspace instead of the sentinel workspace.
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: Mark Bell mark.bell@journeystn.org Sent: Friday, March 13, 2020 7:13:34 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com; MicrosoftDocs/azure-docs reply@reply.github.com Cc: Your activity your_activity@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
The messages getting sent to the machine are indeed being sent over UDP 514. Thought I should add that.
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: Mark Bell notifications@github.com Sent: Friday, March 13, 2020 7:11:32 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Your activity your_activity@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).
As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.
Now all is working great!
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: SaurabhSharma-MSFT notifications@github.com Sent: Friday, March 13, 2020 3:32:29 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
@mbell85https://github.com/mbell85 can you please help providing your solution.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598979353, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZE3YULAMQRNGGLALZLRHLDTJANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
mbell85
commented
4 years ago *auto provisioning in Azure Security Center. Just to be clear.
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: Mark Bell mark.bell@journeystn.org Sent: Friday, March 13, 2020 7:15:11 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com; MicrosoftDocs/azure-docs reply@reply.github.com Cc: Your activity your_activity@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
We also made sure to turn off auto provisioning in Azure, as it was initially tying the machine to my default workspace instead of the sentinel workspace.
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: Mark Bell mark.bell@journeystn.org Sent: Friday, March 13, 2020 7:13:34 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com; MicrosoftDocs/azure-docs reply@reply.github.com Cc: Your activity your_activity@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
The messages getting sent to the machine are indeed being sent over UDP 514. Thought I should add that.
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: Mark Bell notifications@github.com Sent: Friday, March 13, 2020 7:11:32 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Your activity your_activity@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).
As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.
Now all is working great!
Sent from Samsung Galaxy smartphone. Get Outlook for Androidhttps://aka.ms/ghei36
From: SaurabhSharma-MSFT notifications@github.com Sent: Friday, March 13, 2020 3:32:29 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
@mbell85https://github.com/mbell85 can you please help providing your solution.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598979353, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZE3YULAMQRNGGLALZLRHLDTJANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.
SaurabhSharma-MSFT
commented
4 years ago @mbell85 Thank you for providing the details.
@yelevin Can you please take a look to see if you can add any information to the documentation.
fbinotto
commented
4 years ago We are having the same issue. ASA traffic is sent to Syslog collector on port 514 UDP but traffic never gets to Sentinel through the CEF connector.
The CEF connector shows as connected and we can see the MOCK entries in the CommonSecurityLog table in Log Analytics but no real traffic.
We have the following in the config file:
:rawmsg, regex, "CEF"|"ASA" . @@127.0.0.1:25226
Any suggestions?
mjunaid-fe
commented
4 years ago @fbinotto is there any update on this, I am having the same issue.
mbell85
commented
4 years ago Just FYI. The way I eventually got around this problem was to configure the ASA to send the messages to a Syslog server capable of forwarding the messages on to the machine running the CEF collector. Have been using it this way since back in March and works great.
mjunaid-fe
commented
4 years ago @mbell85 thanks for the prompt response. actually got it working by sending UDP logs from Cisco to Syslog Collector and forwarding those logs to the agent's port (localhost:25226) Logs are now showing up in the Sentinel but it is still sad that CEF collector does not work directly
mbell85
commented
4 years ago Glad to help! It’s a minor annoyance, but at the same time I kind of like having a local Syslog server running so I can glance at it throughout the day and then then using the CEF collector to import to Azure Sentinel for the analytics to run through it. It’s been very helpful for identifying connection attempts from suspect IPs and blocking them at the ASA.
--
Mark Bell IT Admin/Coordinator Journeys in Community Living 1130 Haley Rd. Murfreesboro, TN 37129 615-890-4389, ext. 45 (ofc) 615-295-3046 (cell) www.journeystn.orghttp://www.journeystn.org/ www.fb.com/journeysincommunityhttp://www.fb.com/journeysincommunity www.twitter.com/journeystnhttp://www.twitter.com/journeystn
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication is STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying Mark Bell of the error by reply email or calling 615-295-3046.
From: Muhammad Junaid Raza notifications@github.com Sent: Wednesday, September 2, 2020 11:44 AM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)
[EXTERNAL SENDER] Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!
@mbell85https://github.com/mbell85 thanks for the prompt response. actually got it working by sending UDP logs from Cisco to Syslog Collector and forwarding those logs to the agent's port (localhost:25226) Logs are now showing up in the Sentinel but it is still sad that CEF collector does not work directly
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-685859473, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZGFBKJHZ7GSZQKVVNLSDZY4NANCNFSM4LEN7EXQ.
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailmailto:admin@journeystn.org or calling 615-890-4389.
Journeys in Community Living now uses Microsoft Information Protection and other traditional methods to secure its emails and documents. Please contact JICL IT mailto:admin@journeystn.org if you have trouble viewing or opening a document sent from Journeys' employees.
appelboom
commented
3 years ago Had this issue on RHEL 8.3_64 using rsyslog8 Can confirm just a config issue on the agent server
To listen on both TCP and UDP add below to rsyslogd.conf $ModLoad imtcp $ModLoad imudp
Make sure these sure firewall is in place sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 25226 -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 514 -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p udp --dport 514 -j ACCEPT Relax SElinux in /etc/selinux/config as will break OMSAgent Make sure OMS agent egress via your proxy /etc/opt/microsoft/omsagent/proxy.conf
batamig
commented
3 years ago Hi - @mbell85, thank you for addressing your original question to Microsoft docs! This has turned out to be a valuable thread.
We're taking all this feedback back to the team to validate before we update the docs as needed in a coming release. I'm going to close this issue for now, but feel free to continue commenting here as needed if anyone has more input.
Thank you all for your contributions to docs!
I have been attempting to get this working for HOURS! The confusing thing about it is that this article says Syslog deamon on my Linux machine needs to be configured to listen for messages on TCP port 514, but syslog messages cannot be sent by a Cisco ASA over 514/tcp. It must be a port greater than 1025! The default for Cisco ASA is to send syslog messages to Port 514/udp. Very confused.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.