Windows VM Server as Log Analytics Gateway to Azure Sentinel

Andrew Craig 21

We are planning an Azure Sentinel deployment and want all of our data sources to first log to an on-prem gateway server, and then send off to Sentinel. Microsoft documentation keeps mentioning a Linux server to be used for this log forwarder but can a Windows server be used instead?

Would this just require a Windows server with the Log Analytics agent (Microsoft Monitoring Agent) installed to collect the logs? I see system requirements for the Linux forwarder, but what are the requirements for Windows?

Thank you,
Andrew

JamesTran-MSFT 36,461 Reputation points Microsoft Employee

2021-02-22T22:35:15.787+00:00

@Andrew Craig
Thank you for your post and I apologize for the late response!

Would you be able to share the documentation that you're referencing so I can gain a better understanding of your issue?
Andrew Craig 21 Reputation points

2021-02-23T14:21:07.633+00:00

Hi James,

I am referencing the following documents:

https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog

https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources

There are various other mentions of log-forwarding throughout this guide, but it always seems to indicate a Linux VM should be used.

Thanks,
Andrew

Accepted answer

CyrAz 5,181 Reputation points

2021-02-23T14:41:34.35+00:00
If I'm not mistaken :

Log Analytics Gateway is really not much more than a simplified HTTP proxy, for environments where the Log Analytics agents don't have direct access to the internet.

Syslog messages can only be forwarded through a linux log analytics agent (which in turn may need to connect through a log analytics gateway to reach Azure). The windows agent can't act as a syslog receiver.
Please sign in to rate this answer.

1 person found this answer helpful.
JamesTran-MSFT 36,461 Reputation points Microsoft Employee

2021-02-24T17:25:25.843+00:00

@Andrew Craig
I just wanted to check in and see if you had a chance to review CyrilAzoulay's post, or if you have any other questions?

Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Andrew Craig 21 Reputation points

2021-02-25T16:34:20.667+00:00

Thanks @CyrilAzoulay. @JamesTran-MSFT - If I'm understanding correctly, the agents can be installed directly onto a log source for forwarding to Sentinel. But for network or firewall devices for example, we probably wouldn't be installing the agent on those devices, right? We would need to first forward those to a central/proxy server and as @CyrilAzoulay pointed out, any source using syslog format can only be processed with a Linux agent. I understand it varies, but what is the most common configuration you see with Sentinel? Are customers generally logging to a gateway/log forwarding VM first and then off to Azure?

Thanks,
Andrew

JamesTran-MSFT 36,461 Reputation points Microsoft Employee

2021-02-25T18:56:53.023+00:00

@Andrew Craig
Thank you for the quick response! I've reached out to our Azure Security Center team to see if they can provide any additional comments on this issue and will update as soon as possible.

Thank you for your time and patience throughout this issue.

Andrew Craig 21 Reputation points

2021-03-02T18:50:19.207+00:00

@JamesTran-MSFT - we are working with a managed partner who has helped us determine we will use an on-prem Linux VM for log-forwarding. So we are good to go on this question.
Sign in to comment

1 additional answer

JamesTran-MSFT 36,461 Reputation points Microsoft Employee

2021-03-02T19:04:07.773+00:00

@Andrew Craig
Thank you for the quick follow up on this and I'm glad that you'll be working with a partner to help you resolve this issue! I was also able to get a response from our support team this morning and will post their update below.

Update:
This has to be a Linux box. Windows servers are not able to send Syslog/CEF data.

Thank you again for your time and patience throughout this issue.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment