NXLog LinuxAudit connector for Microsoft Sentinel

The NXLog LinuxAudit data connector supports custom audit rules and collects logs without auditd or any other user-space software. IP addresses and group/user IDs are resolved to their respective names making Linux audit logs more intelligible to security analysts. This REST API connector can efficiently export Linux security events to Microsoft Sentinel in real-time.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) LinuxAudit_CL
Data collection rules support Not currently supported
Supported by NXLog

Query samples

Most frequent type

LinuxAudit_CL

| summarize EventCount = count() by type_s 

| where strlen(type_s) > 1 

| render barchart

Most frequent comm

LinuxAudit_CL

| summarize EventCount = count() by comm_s

| where strlen(comm_s) > 1

| render barchart

Most frequent name

LinuxAudit_CL

| summarize EventCount = count() by name_s

| where strlen(name_s) > 1

| render barchart

Vendor installation instructions

Follow the step-by-step instructions in the NXLog User Guide Integration Topic Microsoft Sentinel to configure this connector.

Next steps

For more information, go to the related solution.