Share via

Problems with data collectors and syslog

Mock - 0 Reputation points
2024-05-13T13:22:19.72+00:00

So, i have a task to integrate security logs that are beeing sent via syslog protocol formatted as CEF

https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama?tabs=syslog%2Cportal

I do have an VM linux

It does have the python version

I did installed the AMA trought the command line.

When i generate an event i get this message in the logs:

2024-05-13 16:20:10 +0300 [error]: "<6>2024-05-13T10:20:10-03:00 testing_logs testing_logs_are_nicer[3107160]: CEF:0|testing|bot-mitigation|1.0|proxied-origin|bot mitigation classified request (proxied-origin) |2|Action=block Client=144.22.210.139 GeoIP2DataCityName=S\xC3\xA3o Paulo GeoIP2DataContinentCode=SA GeoIP2DataCountryCode=BR GeoIP2DataCountryName=Brazil GeoIP2DataStateName=SP GeoIP2Org=AS31898 ORACLE-BMC-31898 Host=dogurai.com Method=GET Milliseconds=1715606409.643 Protocol= QueryString= RealHost=dogurai.com RequestID=1f3f17ca724883aaaf345648e06c5b60 Rules={bot mitigation classified request (proxied-origin) } Scheme=http Timestamp=1715606409 URI=/a\\=a UserAgent=raparigueira" error="invalid time format: value = 2024-05-13T10:20:10-03:00 testing_logs testing_logs_are_nicer[3107160]:, error_class = ArgumentError, error = invalid date or strptime format - `2024-05-13T10:20:10-03:00 testing_logs testing_logs_are_nicer[3107160]:' `%b %d %H:%M:%S'"
  2024-05-13 16:20:10 +0300 [error]: suppressed same stacktrace
2024-05-13 16:20:12 +0300 [info]: Sending OMS Heartbeat succeeded at 2024-05-13T13:20:12.526Z

Is is because its expecting rsyslog instead of syslog format? Whats supposed to be the format? How do i change it?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,001 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 28,106 Reputation points Microsoft Employee
    2024-05-16T11:21:08.9366667+00:00

    Hi @Mock - ,

    Thanks for reaching out.

    Based on the error message you provided, it seems that the issue is related to the timestamp format in the log message. The error message indicates that the timestamp format is invalid.

    Regarding the format of the logs, the Common Event Format (CEF) is a standard format for security-related logs.

    To resolve the issue, you can try changing the timestamp format in the log message to match the expected format. You can also check the configuration of the syslog daemon to ensure that it is configured to use the correct format. The syslog daemon should be configured to use the RFC 3164 format, which is the default format for syslog messages.

    If you are using syslog-ng, you can check the configuration file /etc/syslog-ng/syslog-ng.conf and update the format.

    After making any changes to the configuration files, you will need to restart the syslog daemon for the changes to take effect.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments