Closed mikeelliottuk closed 3 years ago
@mikeelliottuk Thanks for your feedback! We will investigate and update as appropriate.
Hi,
I'd like to build on this a little or ask for help.
I'm trying to send CEF and ASA messages to the CommonSecurityEvent and syslog messages to the Syslog table. I created the below rule based on the information provided but I'm still having trouble.
if ($rawmsg contains "CEF:" or $rawmsg contains "ASA-") then { @127.0.0.1:25226 } else { @127.0.0.1:25224 }
Currently the syslog message make it into the table but the CEF do not.
Hi,
I'd like to build on this a little or ask for help.
I'm trying to send CEF and ASA messages to the CommonSecurityEvent and syslog messages to the Syslog table. I created the below rule based on the information provided but I'm still having trouble.
if ($rawmsg contains "CEF:" or $rawmsg contains "ASA-") then { @127.0.0.1:25226 } else { @127.0.0.1:25224 }
Currently the syslog message make it into the table but the CEF do not.
Hi there. Might be better to post this question on the Technet Forum here https://techcommunity.microsoft.com/t5/azure-sentinel/bd-p/AzureSentinel
I to am having this challenge, I can onboard to the LAW with the OMSagent on the Linux syslog-ng forwarder and after basic configuration I am able to get syslog data to ingest into the Syslog connector in Azure Sentinel. Once I install the CEF part of the solution I loose connectivity to Syslog and CEF starts working. I have been trying for days to get both to work on the same box but I am unable to make it send both CEF on TCP and Syslog on UDP and have it make it to Sentinel. I can tail the omsagent.log and see traffic for CEF but or Syslog depending on which step in the install process I am on. The docs all state the fact that Syslog and CEF are possible but I am not getting it to work. Please update the documentation to deep dive into getting both running on the same box.
Hi all - thank you for sending your feedback on this article!
We're currently taking a fresh look at our connector docs, and we're going to check back with the team about all your comments. We'll update or clarify the docs as needed in a coming release.
I'm going to close this issue for now, but feel free to add more comments if you have additional input. We value your contributions to Microsoft docs!
Actually got this working with Splunk and Syslog/CEF going to dual locations from the same Syslog-NG server. The key is to let the OMS agent take over the Syslog-NG.Conf file and adjust your Splunk to work with what changes the OMS agent wants.
@version:3.5 @include "/etc/syslog-ng/conf.d/*.conf"
####################################################
####################################################
options { use_dns(yes); use_fqdn(yes); dns_cache(yes); keep_hostname(yes); chain_hostnames(off); log_fifo_size(100000); flush_lines (100); stats_freq (1000); keep_timestamp(no); };
####################################################
####################################################
source s_sys { system(); internal(); };
source s_src { udp( port(514)); tcp( port(514));};
source s_remote_logs_networking { udp(port(1514) so_rcvbuf(67108864) log_fetch_limit(50)); };
source s_remote_logs_security { udp(port(2514) so_rcvbuf(67108864) log_fetch_limit(50)); };
source s_remote_logs_windows { udp(port(3514) so_rcvbuf(67108864) log_fetch_limit(50) flags(no-multi-line)); };
source s_remote_logs_sso { udp(port(4514) so_rcvbuf(67108864) log_fetch_limit(50)); };
source s_remote_logs_ois { udp(port(5514) so_rcvbuf(67108864) log_fetch_limit(50)); };
source s_remote_logs_proxy { tcp(port(6514) so_rcvbuf(67108864) log_fetch_limit(50)); };
source s_remote_logs_cloud { udp(port(7514) so_rcvbuf(67108864) log_fetch_limit(50)); };
source s_remote_logs_app { udp(port(8514) so_rcvbuf(67108864) log_fetch_limit(50) flags(no-multi-line)); };
source s_remote_logs_sso_app { udp(port(9514) so_rcvbuf(67108864) log_fetch_limit(50)); };
####################################################
####################################################
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_5e5246d7-26c2-427b-b9da-677621396295_oms { udp("127.0.0.1" port(25224)); };
destination d_hosts_unix { file("/logs/unix/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_networking { file("/logs/networking/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_firewall { file("/logs/networking/cisco/firewalls/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_router { file("/logs/networking/cisco/routers/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_switch { file("/logs/networking/cisco/switches/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_wireless { file("/logs/networking/cisco/wireless/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_juniper_wbi { file("/logs/networking/juniper/wbi/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_f5 { file("/logs/networking/f5/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_palo { file("/logs/networking/palo/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_dhcp { file("/logs/networking/dhcp/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_nat { file("/logs/networking/nat/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_networking_misc { file("/logs/networking/misc/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_dns { file("/logs/networking/dns/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_proxy { file("/logs/networking/proxy/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_security { file("/logs/security/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_security_misc { file("/logs/security/misc/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_ips_alerts { file("/logs/security/cisco/ips/alerts/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_ips_os { file("/logs/security/cisco/ips/os/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_amp { file("/logs/security/cisco/amp/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_acs { file("/logs/security/cisco/acs/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cisco_ise { file("/logs/security/cisco/ise/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_symantec_dlp { file("/logs/security/symantec/dlp/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_thycotic { file("/logs/security/thycotic/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_windows { file("/logs/windows/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_windows_splunk { file("/logs/windows/splunk/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_sso { file("/logs/sso/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_ois { file("/logs/ois/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_cloud { file("/logs/cloud/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_junk { file("/logs/junk/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_hosts_app { file("/logs/app/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_ldap_lookup { program("/logs/bin/ldap_lookup.py" flush_lines(1) ); };
destination d_palo_float { udp("10.13.3.48" port(514) spoof_source(no) ); };
destination d_palo_float2 { udp("10.13.3.48" port(514) spoof_source(yes) ); };
destination d_palo_ssh_vip { udp("10.13.3.61" port(514) spoof_source(no) ); };
destination d_palo_lab_float { udp("10.18.0.18" port(514) spoof_source(no) ); };
destination d_palo_lab_float2 { udp("10.18.0.18" port(514) spoof_source(yes) ); };
destination d_mom { udp("10.19.149.54" port(514) spoof_source(yes) ); };
destination d_networking_akips { udp("10.124.44.4" port(514) spoof_source(yes) ); };
destination d_zuniga { udp("eecsyslog.demo.contso.com" port(514) spoof_source(yes) ); };
destination d_ise_wan { udp("10.120.53.32" port(40514) spoof_source(yes) template("<$PRI>${ISODATE} syslog02.unx.contso.com ${MESSAGE}\n") ); };
destination d_zsyslog { udp("149.173.75.20" port(10514) ); };
####################################################
####################################################
filter f_cisco_firewall { (host("^[Ff][0-9][0-9]") and match("\%ASA-") ); };
filter f_networking_nat { (match("\%ASA-4-30501[1-2]") or match("\%ASA-6-30501[1-2]") or match("\%ASA-6-30202[0-1]") or match("\%ASA-6-30201[3-6]") ); };
filter f_windows_not_splunk { ( not host("^gisforwarder.*") ); };
filter f_windows_splunk_palo { ( host("^gisforwarder.*") and match("EventCode=4624") or match("EventCode=4768") and not match("Keywords=Audit Failure") ); };
filter f_cisco_router { (host("^[Rr][0-9][0-9][a-z]") or host("^[Vv][0-9][0-9][a-z]") ); };
filter f_cisco_switch { (host("^[Bb][0-9][0-9][a-z]") or host("^[Dd][0-9][0-9][a-z]") or host("^[Hh][0-9][0-9][a-z]")); };
filter f_cisco_wireless { (host("^[Ww][Ll][0-9][a-z]") or host("^[Ww][Cc][0-9][a-z]")); };
filter f_palo { (host("^[Ff]15xx") or host("f03xxxxrdm36nc0" flags(ignore-case)) or host("f03xxxxdfi56nc0" flags(ignore-case)) or host("^[Pp]anorama") or host("^[Ll]aborama") or host("^[Ff][0-9][0-9]") or host(".*-contso-networking-fw-vm[1-9]") and not match("\%ASA-") ); };
filter f_juniper_wbi { (match("PulseSecure:") ); };
filter f_f5 { (host("^[Ll][0-9][0-9][a-x]") or host("^l072146")); };
filter f_waf_out { not host("^l072146rvirnc0"); };
filter f_dhcp { (host("^dns[1-9].*") and message("DHCPREQUEST") or message("BOOTREQUEST") ); };
filter f_dns_query { (match("named") and match("query:") or host("^dns") and match("named") ); };
filter f_dns_dhcp_os { (host("^dns[1-9]") and facility(auth, authpriv) and not message("_pam_init_handlers: no default") ); };
filter f_dns_dhcp_trash { (host("^dns[1-9]") ); };
filter f_cisco_ips_alerts { (match("SFIMS:") or match("sourcefire:") ); };
filter f_cisco_ips_os { (match("\[ips_os\]") or match("\[sourcefire\]") ); };
filter f_ciscoacs { (program("CSCOacs") ); };
filter f_ciscoise { (program("CISE") ); };
filter f_symantec_dlp { (host("gisdlpenforcement") ); };
filter f_thycotic { (host("thycoticp0[1-9]") ); };
filter f_email { host("mercmbx"); or host("merccas"); };
filter f_networking_names { (host(".*.net.contso.com") or host("^[Ff][0-9][0-9]") or host("^[Bb][0-9][0-9]") or host("^[Hh][0-9][0-9]") or host("^[Rr][0-9][0-9]") or host("^[Vv][0-9][0-9]") or host("wbi.contso.com") ); };
filter f_networking_akips { (not host("^[Ff][0-9][0-9]") and host("^[Bb][0-9][0-9]") or host("^[Hh][0-9][0-9]") or host("^[Rr][0-9][0-9]") or host("^[Vv][0-9][0-9]") ); };
filter f_palo_auth { (match("EventID:4624") or match("EventID:4768") and not match ("Keyword:0x6") ); };
filter f_ldap_lookup { (match("RADIUS Accounting start") and match("@contso.com" flags(ignore-case)) or match("@jmp.com" flags(ignore-case)) and not match ("NetworkDeviceName=wbi.contso.com") ); };
filter f_palo_unix { (host("lnx..unx.contso.com") or host("rh6lgn.") or host("dcfwlgn.*") and match("Accepted") and not match("for root|nagios|dfxrnd") ); };
filter f_netseg { (match("ACS,") ); };
filter f_zuniga { (host("vep.contso.com") ); };
filter f_trash { (match("Deprecated pam_stack module") or match("password changed in future") or match("exphostd") or host("mom.unx.contso.com") and match("xxx") or host(".esx[0-9][0-9].") and match("Vpxa:|Hostd:") ); };
filter f_opendns_trash { (match("query:") and match(".opendns.com") ); };
filter f_syslconn { match("Syslog connection" value("MESSAGE")); };
filter f_amp { match("Fireamp:"); }; filter f_zeus_amp { (match("Fireamp:") and match ("zsp.\contso.com") ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron) or filter(f_amp) or filter(f_syslconn)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
####################################################
####################################################
log { source(s_sys); filter(f_amp); destination(d_hosts_cisco_amp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); }; log { source(s_sys); filter(f_zeus_amp); destination(d_zsyslog); }; log { source(s_sys); filter(f_netseg); destination(d_palo_float); destination(d_palo_lab_float); destination(d_junk); };
log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_remote_logs_networking); filter(f_opendns_trash); flags(final); };
log { source(s_src); filter(f_dns_query); destination(d_hosts_dns); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_remote_logs_networking); filter(f_dns_query); destination(d_hosts_dns); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_dhcp); destination(d_hosts_dhcp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_remote_logs_networking); filter(f_dhcp); destination(d_hosts_dhcp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_dns_dhcp_os); destination(d_hosts_unix); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_remote_logs_networking); filter(f_dns_dhcp_os); destination(d_hosts_unix); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_src); filter(f_dns_dhcp_trash); destination(d_junk); flags(final); }; log { source(s_src); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_networking); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_security); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_windows); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_sso); filter(f_trash); destination(d_junk); flags(final); };
log { source(s_remote_logs_networking); filter(f_networking_akips); destination(d_networking_akips); }; log { source(s_src); filter(f_networking_akips); destination(d_networking_akips); };
log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_float); }; log { source(s_remote_logs_security); filter(f_palo_auth); destination(d_palo_float); }; log { source(s_src); filter(f_palo_unix); destination(d_palo_ssh_vip); }; log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_lab_float); }; log { source(s_remote_logs_security); filter(f_palo_auth); destination(d_palo_lab_float); }; log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_float2); }; log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_lab_float2); };
log { source(s_remote_logs_security); filter(f_ldap_lookup); destination(d_ldap_lookup); };
log { source(s_remote_logs_networking); filter(f_zuniga); destination(d_zuniga); }; log { source(s_src); filter(f_zuniga); destination(d_zuniga); };
log { source(s_remote_logs_windows); destination(d_ise_wan); };
log { source(s_remote_logs_networking); filter(f_networking_nat); destination(d_hosts_nat); flags(final); };
log { source(s_remote_logs_networking); filter(f_cisco_firewall); destination(d_hosts_cisco_firewall); destination(oms_destination); flags(final); }; log { source(s_src); filter(f_cisco_firewall); destination(d_hosts_cisco_firewall); destination(oms_destination); flags(final); };
log { source(s_remote_logs_networking); filter(f_cisco_router); destination(d_hosts_cisco_router); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_router); destination(d_hosts_cisco_router); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_networking); filter(f_cisco_switch); destination(d_hosts_cisco_switch); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_switch); destination(d_hosts_cisco_switch); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_networking); filter(f_cisco_wireless); destination(d_hosts_cisco_wireless); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_wireless); destination(d_hosts_cisco_wireless); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_networking); filter(f_juniper_wbi); destination(d_hosts_juniper_wbi); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_juniper_wbi); destination(d_hosts_juniper_wbi); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_networking); filter(f_f5); destination(d_hosts_f5); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_f5); destination(d_hosts_f5); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_networking); filter(f_palo); destination(d_hosts_palo); flags(final); }; log { source(s_src); filter(f_palo); destination(d_hosts_palo); flags(final); };
log { source(s_remote_logs_networking); destination(d_hosts_networking_misc); flags(final); }; log { source(s_src); filter(f_networking_names); destination(d_hosts_networking_misc); flags(final); };
log { source(s_remote_logs_sso); destination(d_hosts_sso); flags(final); }; log { source(s_remote_logs_sso_app); destination(d_hosts_sso); flags(final); };
log { source(s_remote_logs_security); filter(f_cisco_ips_alerts); destination(d_hosts_cisco_ips_alerts); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_ips_alerts); destination(d_hosts_cisco_ips_alerts); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_security); filter(f_cisco_ips_os); destination(d_hosts_cisco_ips_os); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_ips_os); destination(d_hosts_cisco_ips_os); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_security); filter(f_cisco_acs); destination(d_hosts_cisco_acs); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_security); filter(f_cisco_ise); destination(d_hosts_cisco_ise); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_security); filter(f_symantec_dlp); destination(d_hosts_symantec_dlp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };
log { source(s_remote_logs_security); filter(f_thycotic); destination(d_hosts_thycotic); destination(oms_destination); flags(final); };
log { source(s_remote_logs_security); destination(d_hosts_security_misc); flags(final); };
log { source(s_remote_logs_proxy); destination(d_hosts_proxy); flags(final); };
log { source(s_src); destination(d_hosts_unix); flags(final); };
log { source(s_remote_logs_windows); filter(f_windows_not_splunk); destination(d_hosts_windows); flags(final); }; log { source(s_remote_logs_windows); destination(d_hosts_windows_splunk); flags(final); };
log { source(s_remote_logs_cloud); destination(d_hosts_cloud); flags(final); };
log { source(s_remote_logs_ois); destination(d_hosts_ois); flags(final); };
log { source(s_remote_logs_app); destination(d_hosts_app); flags(final); };
filter f_auth_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,debug,emerg,err,info,notice,warning) and facility(auth); }; log { source(s_sys); filter(f_auth_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_authpriv_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,debug,emerg,err,info,notice,warning) and facility(authpriv); }; log { source(s_sys); filter(f_authpriv_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_cron_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(cron); }; log { source(s_sys); filter(f_cron_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_daemon_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(daemon); }; log { source(s_sys); filter(f_daemon_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_kern_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(kern); }; log { source(s_sys); filter(f_kern_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_local0_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local0); }; log { source(s_sys); filter(f_local0_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_local2_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local2); }; log { source(s_sys); filter(f_local2_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_local3_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local3); }; log { source(s_sys); filter(f_local3_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_local4_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local4); }; log { source(s_sys); filter(f_local4_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_local5_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local5); }; log { source(s_sys); filter(f_local5_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_local6_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local6); }; log { source(s_sys); filter(f_local6_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_local7_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local7); }; log { source(s_sys); filter(f_local7_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_syslog_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(syslog); }; log { source(s_sys); filter(f_syslog_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
filter f_user_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(user); }; log { source(s_sys); filter(f_user_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };
Hi, Could this documentation please be enhanced to describe how to configure the server to forward both syslog and CEF message?
Many thanks.
Mike
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.