SC-200 Collect logs from non-azure-Linux VM host to Microsoft Sentinel using Azure Arc and Syslog AMA

Step 1 – Install and configure Rsyslog

To install rsyslog on Ubuntu execute this from a terminal window:

sudo apt-get update

sudo apt-get install rsyslog

check if rsyslog is running:

systemctl status rsyslog

Once installed we need to open port 514 at on the rsyslog config file:

sudo nano /etc/rsyslog.conf

Uncomment the lines for udp and tcp port binding

restart rsyslog

systemctl restart rsyslog

verify that 514 tcp ports are open

netstat -ano | grep 514

Step 2 – Install Azure Arc

In Azure to Azure Arc > Add resources > Machines > Add a machine

Add single server > click on generate script

Enter the appropriate configuration for your deployment

Click on copy or download generate script (In my example I will copy it)

Paste and run it on terminal on the VM you would like to onboard

you will be prompted to enter a code to authenticate

then you will be prompted to login, after successful login you should see this message

as we can see below we can now go to Azure Arc and verify that our VM shows up and status is connected.

Step 3 – Install Syslog Data Connector on Sentinel, Deploy Syslog AMA Agent to on-site VM

Go to Sentinel > Data Connectors > Content Hub

search for syslog, change the provider filter from “All” to “Microsoft”

Select Syslog, click on Actions > Install/Reinstall

Once installed select Syslog again and click on Manage

Select Syslog via AMA and click on Open connector page

Click on Create data collection rule

Select your resources (VMs you want to collect syslog logs from)

click review + create, once the review passes go ahead and create the rule.

You may have to wait a couple of minutes and refresh the page a couple of time until it shows as connected

we can also verify we are getting logs by checking the syslog table query results on Sentinel.

Author: user

Leave a Reply

Your email address will not be published. Required fields are marked *