Microsoft Sentinel enables security teams to collect, detect, investigate, and respond to security threats across hybrid and multi-cloud environments.
A crucial part of this capability is log collection β especially from Linux systems and network/security appliances that generate Syslog and CEF (Common Event Format) messages.
With the Azure Monitor Agent (AMA) and Data Collection Rules (DCR), Microsoft now provides a unified, modern way to onboard Syslog and CEF data into Sentinel β replacing the older Log Analytics (OMS) agent.
π What Are Syslog and CEF?
| Log Type | Description | Example Source | Default Sentinel Table |
|---|---|---|---|
| Syslog | Standard logging protocol on Linux/UNIX systems. Used for OS, authentication, and service logs. | RHEL, Ubuntu, CentOS servers | Syslog |
| CEF (Common Event Format) | Structured format for security logs with key-value pairs. | Firewalls, IDS/IPS, proxies, antivirus | CommonSecurityLog |
𧩠Why Use AMA and DCR?
The Azure Monitor Agent (AMA) is the new unified agent for all Azure monitoring needs β performance, metrics, and logs.
Itβs more efficient and flexible than the legacy agent and supports fine-grained control through Data Collection Rules (DCRs).
Benefits of AMA + DCR:
- β Unified collection for Syslog, CEF, and performance metrics.
- β Modern, scalable data pipeline managed through Azure Policy or Portal.
- β Granular filtering: choose which facilities and severities to collect.
- β Full support for Azure Arcβenabled servers (hybrid and on-prem).
- β Automatic agent deployment and updates.
ποΈ Architecture Overview
Linux Servers / Security Devices
β (Syslog / CEF over TCP/UDP)
Azure Monitor Agent (AMA)
β
Data Collection Rule (DCR)
β
Log Analytics Workspace
β
Microsoft Sentinel
- AMA β collects and forwards logs securely to Azure.
- DCR β defines what data to collect and where to send it.
- Workspace β stores logs for analytics and queries.
- Sentinel β correlates and visualizes data for detection and response.
βοΈ Prerequisites
Before configuring the connector:
- π§ Log Analytics Workspace β Connected to your Sentinel instance.
- π§° Azure Monitor Agent (AMA) β Automatically installed via DCR or manually.
- π Outbound Internet Access β Port 443 to Azure Monitor endpoints.
- βοΈ Azure Arc β Required if collecting from non-Azure Linux servers (e.g., RHEL).
- π©βπ» Permissions β Owner, Contributor, or Security Admin on target machines.
π Step-by-Step Setup (Portal Method)
Step 1 β Enable the Syslog/CEF Connector
- Go to Microsoft Sentinel β Data connectors.
- Search for βSyslog/CEF via AMAβ.
- Click Open connector page β Create data collection rule (DCR).
Step 2 β Configure the Data Collection Rule (DCR)
In the DCR wizard:
- Choose your subscription, resource group, and region.
- Select the machines to collect from (Arc-enabled or Azure VMs).
- Define Syslog facilities (e.g.,
auth,authpriv,daemon,syslog,kern). - Select severities (e.g.,
Error,Critical,Alert,Warning,Info). - Set destination as your Log Analytics workspace.
π‘ Tip: DCRs support multiple data types (Syslog, CEF, performance). You can reuse the same rule across servers.
Step 3 β Configure Syslog or CEF Forwarding on Linux
For RHEL or Ubuntu servers:
sudo vi /etc/rsyslog.d/60-sentinel.conf
Add the following lines:
# Listen for incoming CEF logs
module(load="imtcp")
input(type="imtcp" port="514")
# Optional: forward local logs to Sentinel
*.* @@127.0.0.1:514
Restart rsyslog:
sudo systemctl restart rsyslog
If using syslog-ng, configure a similar input block:
source s_net { tcp(port(514)); };
log { source(s_net); destination(d_logs); };
Step 4 β Send CEF Logs from Security Devices
For firewalls, IDS/IPS, or proxies:
- Configure the device to send CEF messages via Syslog (TCP 514) to the Linux forwarder VM.
- The forwarder then sends data to Sentinel via the Azure Monitor Agent.
Example:
Device β CEF message β rsyslog β AMA β Log Analytics β Sentinel
β Data arrives in the CommonSecurityLog table.
Step 5 β Verify Log Ingestion
Open the Sentinel workspace β Logs, and run:
Syslog check
Syslog
| take 10
CEF check
CommonSecurityLog
| take 10
If data appears, collection is successful π
π§ Troubleshooting Tips
| Issue | Cause | Fix |
|---|---|---|
| No data in Sentinel | DCR not associated or incorrect facilities | Recheck DCR association |
| Connection timeout | Port 514 or 443 blocked | Open outbound network ports |
| Duplicate logs | Device and server both forwarding | Keep only one source per log type |
| Wrong timestamps | Timezone mismatch | Sync server time (NTP) |
π§Ύ Example Data Collection Rule (JSON)
Hereβs a sample DCR that collects Syslog and CEF from RHEL:
{
"location": "westeurope",
"kind": "Linux",
"properties": {
"dataSources": {
"syslog": [
{
"name": "syslog-source",
"facilityNames": ["auth", "authpriv", "daemon", "syslog"],
"logLevels": ["Error", "Critical", "Alert", "Emergency", "Warning"]
}
]
},
"destinations": {
"logAnalytics": [
{
"name": "la-destination",
"workspaceResourceId": "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.OperationalInsights/workspaces/<workspace>"
}
]
},
"dataFlows": [
{
"streams": ["Microsoft-Syslog"],
"destinations": ["la-destination"]
}
]
}
}
π Where Logs Appear in Sentinel
| Log Type | Table Name | Use Case |
|---|---|---|
| Syslog | Syslog | Linux OS, authentication, kernel logs |
| CEF | CommonSecurityLog | Security device alerts and events |
π References
- Connect Syslog and CEF to Sentinel using AMA
- Syslog and CEF via AMA Overview
- Data Collection Rules (DCR)
- Azure Monitor Agent
𧩠Summary
β
Use AMA + DCR for both Syslog and CEF ingestion
β
Configure rsyslog/syslog-ng on your RHEL or collector VM
β
Associate DCRs with Arc or Azure machines
β
Validate in Syslog or CommonSecurityLog tables
β
Retire the old Log Analytics (OMS) agent
Abou Conde's Blog 