Connect your external solution using Common Event Format

Note

For information about feature availability in US Government clouds, see the Azure Sentinel tables in Cloud feature availability for US Government customers.

When you connect an external solution that sends CEF messages, there are three steps to connecting with Azure Sentinel:

STEP 1: Connect CEF by deploying a Syslog/CEF forwarder STEP 2: Perform solution-specific steps STEP 3: Verify connectivity

This article describes how the connection works, lists prerequisites, and shows the steps for deploying a mechanism for security solutions to send Common Event Format (CEF) messages on top of Syslog.

Note

Data is stored in the geographic location of the workspace on which you are running Azure Sentinel.

In order to make this connection, you need to deploy a Syslog Forwarder server to support the communication between the appliance and Azure Sentinel. The server consists of a dedicated Linux machine (VM or on-premises) with the Log Analytics agent for Linux installed.

The following diagram describes the setup in the case of a Linux VM in Azure:

CEF in Azure

Alternatively, this setup will exist if you use a VM in another cloud, or an on-premises machine:

CEF on premises

Security considerations

Make sure to configure the machine's security according to your organization's security policy. For example, you can configure your network to align with your corporate network security policy and change the ports and protocols in the daemon to align with your requirements. You can use the following instructions to improve your machine security configuration:  Secure VM in Azure, Best practices for Network security.

To use TLS communication between the Syslog source and the Syslog Forwarder, you will need to configure the Syslog daemon (rsyslog or syslog-ng) to communicate in TLS: Encrypting Syslog Traffic with TLS -rsyslog, Encrypting log messages with TLS –syslog-ng.

Prerequisites

Make sure the Linux machine you use as a log forwarder is running one of the following operating systems:

  • 64-bit

    • CentOS 7 and 8, including minor versions (not 6)
    • Amazon Linux 2017.09
    • Oracle Linux 7
    • Red Hat Enterprise Linux (RHEL) Server 7 and 8, including minor versions (not 6)
    • Debian GNU/Linux 8 and 9
    • Ubuntu Linux 14.04 LTS, 16.04 LTS, and 18.04 LTS
    • SUSE Linux Enterprise Server 12, 15
  • 32-bit

    • CentOS 7 and 8, including minor versions (not 6)
    • Oracle Linux 7
    • Red Hat Enterprise Linux (RHEL) Server 7 and 8, including minor versions (not 6)
    • Debian GNU/Linux 8 and 9
    • Ubuntu Linux 14.04 LTS and 16.04 LTS
  • Daemon versions

    • Syslog-ng: 2.1 - 3.22.1
    • Rsyslog: v8
  • Syslog RFCs supported

    • Syslog RFC 3164
    • Syslog RFC 5424

Make sure your machine also meets the following requirements:

  • Capacity

    • Your machine must have a minimum of 4 CPU cores and 8 GB RAM.

      Note

      • A single log forwarder machine using the rsyslog daemon has a supported capacity of up to 8500 events per second (EPS) collected.
  • Permissions

    • You must have elevated permissions (sudo) on your machine.
  • Software requirements

    • Make sure you have python 2.7 or 3 running on your machine.

Next steps

In this document, you learned how Azure Sentinel collects CEF logs from security solutions and appliances. To learn how to connect your solution to Azure Sentinel, see the following articles:

To learn more about what to do with the data you've collected in Azure Sentinel, see the following articles: