Microsoft Sentinel - Collecting Common Event Format (CEF) via AMA Data connector.

Microsoft Sentinel offers the Common Event Format (CEF) via the AMA connector, allowing for the quick filtering and uploading of logs in CEF from various on-premises appliances over Syslog. In order to set up this log collection, certain steps need to be followed. However, there might be instances where CEF logs do not arrive in the workspace, resulting in errors during the troubleshooting process. This blog post aims to guide you through the configuration of CEF log collection in Microsoft Sentinel and address firewall-related issues that may arise during the process.

Step 1: Preparing the Linux Machine: Before setting up the CEF log collection, ensure that Python 2.7 or 3 is installed on the Linux machine. This is a prerequisite for the subsequent steps.

Step 2: Configuring the Connector in Microsoft Sentinel Portal: In the Microsoft Sentinel portal, set up the connector specifically designed for CEF log collection. This connector utilizes the Azure Monitor Agent (AMA), which relies on Data Collection Rules (DCRs) for configuration.

Step 3: Deploying the AMA Extension and Creating the DCR: To facilitate CEF log collection, deploy the AMA extension on the target machine by associating it with the appropriate DCR. This will enable the machine to receive and transmit the logs.

Step 4: Configuring the DCR: Access the connector page and create the DCR. Within the configuration, ensure to set the minimum log level for each facility. Selecting a log level enables Sentinel to collect telemetry for the chosen level as well as higher severity levels. For example, if LOG_ERR is selected, Sentinel will capture logs for LOG_ERR, LOG_CRIT, LOG_ALERT, and LOG_EMERG levels.

Step 5: Addressing Firewall Configuration Issues: In some cases, CEF logs might fail to arrive in the workspace, accompanied by errors during the troubleshooting process. One common cause of such issues is firewall configuration.

In some cases, CEF logs might fail to arrive in the workspace, accompanied by errors during the troubleshooting process. One common cause of such issues is firewall configuration. It is essential to allow the necessary connections through the firewall by following these steps:-

Could not locate "CEF" message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic

listen_to_incoming_cef_events------------------> Failure

Basically, we need to allow the Firewall configuration. Firewall requires rule to accept internal connections on port 25226:

sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 25226 -j ACCEPT

The firewall requires rule to accept connections from sources on port 514:

sudo firewall-cmd --permanent --add-port=514/tcp

sudo firewall-cmd --permanent --add-port=514/udp

Restart the firewall to activate the new rules: sudo firewall-cmd --reload

Configuring CEF log collection in Microsoft Sentinel provides valuable insights into the security landscape of your environment. However, it is crucial to address potential issues that may arise during the configuration process. Firewall-related problems can hinder the arrival of CEF logs in the workspace. By allowing internal connections on port 25226 and connections from sources on port 514, you can ensure the smooth transmission of logs through the firewall. Disabling the firewall is not recommended, as it compromises the security of your system.

Please note that the steps and commands provided in this blog are specific to troubleshooting firewall issues in the context of CEF log collection. Exercise caution when executing these commands and ensure they are applicable to your specific environment. The views expressed in this blog are solely those of the author and do not represent the views of the employer.

By following the steps outlined in this blog, you can overcome firewall obstacles and successfully configure CEF log collection in Microsoft Sentinel, enabling enhanced security monitoring