question

AndrewCraig-4065 avatar image
0 Votes"
AndrewCraig-4065 asked ·

Windows VM Server as Log Analytics Gateway to Azure Sentinel

We are planning an Azure Sentinel deployment and want all of our data sources to first log to an on-prem gateway server, and then send off to Sentinel. Microsoft documentation keeps mentioning a Linux server to be used for this log forwarder but can a Windows server be used instead?

Would this just require a Windows server with the Log Analytics agent (Microsoft Monitoring Agent) installed to collect the logs? I see system requirements for the Linux forwarder, but what are the requirements for Windows?

Thank you,
Andrew

azure-sentinel
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndrewCraig-4065
Thank you for your post and I apologize for the late response!

Would you be able to share the documentation that you're referencing so I can gain a better understanding of your issue?

0 Votes 0 ·

Hi James,

I am referencing the following documents:

https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog

https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources

There are various other mentions of log-forwarding throughout this guide, but it always seems to indicate a Linux VM should be used.


Thanks,
Andrew

0 Votes 0 ·

1 Answer

CyrilAzoulay avatar image
1 Vote"
CyrilAzoulay answered ·

If I'm not mistaken :
- Log Analytics Gateway is really not much more than a simplified HTTP proxy, for environments where the Log Analytics agents don't have direct access to the internet.
- Syslog messages can only be forwarded through a linux log analytics agent (which in turn may need to connect through a log analytics gateway to reach Azure). The windows agent can't act as a syslog receiver.

· 5 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndrewCraig-4065
I just wanted to check in and see if you had a chance to review CyrilAzoulay's post, or if you have any other questions?

Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

Thanks @CyrilAzoulay. @JamesTran-MSFT - If I'm understanding correctly, the agents can be installed directly onto a log source for forwarding to Sentinel. But for network or firewall devices for example, we probably wouldn't be installing the agent on those devices, right? We would need to first forward those to a central/proxy server and as @CyrilAzoulay pointed out, any source using syslog format can only be processed with a Linux agent. I understand it varies, but what is the most common configuration you see with Sentinel? Are customers generally logging to a gateway/log forwarding VM first and then off to Azure?

Thanks,
Andrew

0 Votes 0 ·

@AndrewCraig-4065
Thank you for the quick response! I've reached out to our Azure Security Center team to see if they can provide any additional comments on this issue and will update as soon as possible.

Thank you for your time and patience throughout this issue.

1 Vote 1 ·
Show more comments