Microsoft Sentinel - Collecting Common Event Format (CEF) via AMA Data connector.
Updated: Mar 22
Microsoft Sentinel provides Common Event Format (CEF) via AMA connector to quickly filter and upload logs in the Common Event Format (CEF) from multiple on-premises appliances over Syslog. The connector uses the Azure Monitor Agent (AMA), which uses Data Collection Rules (DCRs).
Following steps need to be performed to configure the CEF log collection.
The Linux machine must have Python 2.7 or 3 installed on the Linux machine.
Set up the connector in the Microsoft Sentinel portal.
Deploy the AMA extension on the machine by associating them with the DCR.
Open the connector page and create the DCR.
Configure the minimum log level for each facility. When we select a log level, Sentinel collects telemetry for the selected level and other levels with higher severity. For example, if we select LOG_ERR, Sentinel collects logs for the LOG_ERR, LOG_CRIT, LOG_ALERT, and LOG_EMERG levels.
In some cases, CEF logs might not arrive in the workspace and we might get errors while running troubleshooting script -
Could not locate "CEF" message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic
Basically, we need to allow the Firewall configuration. Firewall requires rule to accept internal connections on port 25226:
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 25226 -j ACCEPT
The firewall requires rule to accept connections from sources on port 514:
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --permanent --add-port=514/udp
Restart the firewall to activate the new rules: sudo firewall-cmd --reload
Some articles talk about disabling the firewall. However, it’s not a good practice to stop\disable the firewall. Rather than disabling the firewall above rules can be created for allowing the communication over the ports 514.
P.S. This blog covers the specific scenario and its not a generic solution for every CEF installation issue. Please execute the above commands very carefully. We don't own any responsibility incase of any failure to the server. Views are my own and don’t represent my employer views.