top of page

Collecting CEF log using Azure Monitor Agent (AMA agent). Unable to install CEF collector on RHEL8.

We were working on configuring the Data Connector "Common Event Format (CEF) via AMA" in Microsoft Sentinel .

While running the CEF installer on RHEL 8 server

sudo wget -O python

We got the error –

Could not detect any running Syslog daemon on the machine. The supported Syslog daemons are Rsyslog and Syslog-ng. Please install one of them and run this script again.

rsyslog or syslog-ng are not running on the server. Aborting the installation.

So we tried checking the status of the rsyslog service and got the error message. As a next step we initiated the start of the rsyslog service by running command -

sudo service rsyslog start

However, it failed with error –

Redirecting to /bin/systemctl start rsyslog.service

Job for rsyslog.service failed because the control process exited with error code.

See "systemctl status rsyslog.service" and "journalctl -xe" for details.

For further details we executed the command - journalctl -xe

SELinux is preventing /usr/sbin/rsyslogd from read access on the file /etc/rsysl>

SELinux is preventing /usr/sbin/rsyslogd from read access on the file /etc/rsysl>

So to solve this issue we actually first stopped the SELinux by executing the command –

sudo setenforce 0

And then command –

restorecon -Rv /etc

Reference –

Finally we were able to execute the below commands successfully and able to install the CEF collector on RHEL –

service rsyslog restart

sudo wget -O python

P.S. This blog covers the specific scenario and its not a generic solution for every CEF installation issue. Please execute the above commands very carefully. We don't own any responsibility incase of any failure to the server. Views are my own and doesn't represent my employer.

134 views0 comments

Recent Posts

See All

Optimizing Microsoft Sentinel (SIEM) Environment

In the ever-evolving landscape of cybersecurity, the importance of a well-optimized Sentinel Environment cannot be overstated. As threats continue to morph and adapt, security teams must engage in a c


bottom of page