cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Facing issue with CEF collector via AMA

bharatpatel45
Copper Contributor

‎Jan 12 2024 02:04 AM

‎Jan 12 2024 02:04 AM

Facing issue with CEF collector via AMA

I have oracle Linux  VM 7.9 i have onboarded the this VM using azure arc and created DCR rule to install the AMA agent. I'm facing issue in the CEF connectors via AMA agent, the logs are not coming in the common security logs table.
When I run the troubleshoot  command in the device I'm facing the errors.

1.  verify Syslog daemon forwarding configuration -- > Failure
rsyslog configuration was found invalid in this file /etc/rsyslog.d/10-azuremonitoragent-omfwd.conf .
The forwarding of the syslog daemon to the agent might not work. Please install the agent in order
to get the updated Syslog daemon forwarding conf iguration file, and try again.

2.  Could not locate CEF message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic.

3. Listen to the incoming events failure.

HELP OUT TO RESOLVE THIS ISSUE.

Labels:
1,859 Views
0 Likes
7 Replies
Reply
7 Replies
MHenshaw

‎Jan 15 2024 02:16 AM

‎Jan 15 2024 02:16 AM

Re: Facing issue with CEF collector via AMA

Hi there, couple things to check first, the logs your trying to get to sentinel, do they reach the collector? you can check by doing a tcpdump most likely on port 514 unless your using another port. if you dont recieve any logs over tcp then its most likely not the sentinel conf that is the problem but whatever your sending to the collector, you can also check the sentinel conf is working by using the logger command here - logger --server $COLLECTORIP --port 514 --tcp "CEF:0|DeviceVendorName-Test2|DeviceProduct-Test|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive_timetest" wait about 10/15min then query the cef table in sentinel you should see your test log :)
0 Likes
Reply
bharatpatel45

‎Jan 15 2024 09:24 AM

‎Jan 15 2024 09:24 AM

Re: Facing issue with CEF collector via AMA

Guys I'm just asking to resolve this error , the mock test results are reflecting in the sentinel but the real logs are not coming
1. verify Syslog daemon forwarding configuration -- > Failure
rsyslog configuration was found invalid in this file /etc/rsyslog.d/10-azuremonitoragent-omfwd.conf .
The forwarding of the syslog daemon to the agent might not work. Please install the agent in order
to get the updated Syslog daemon forwarding conf iguration file, and try again.

2. Could not locate CEF message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic.

3. Listen to the incoming events failure.

HELP OUT TO RESOLVE THIS ISSUE.
0 Likes
Reply
logger2115

‎Mar 11 2024 10:59 AM

‎Mar 11 2024 10:59 AM

Re: Facing issue with CEF collector via AMA

I'm kinda in the same boat with CEF logging to Sentinel Workspace. Did you resolve this?
0 Likes
Reply
walfindobayusetya

‎May 13 2024 08:31 PM

‎May 13 2024 08:31 PM

Re: Facing issue with CEF collector via AMA

@logger2115 Same here, did you already resolved this issue friend ?

0 Likes
Reply
logger2115

‎May 14 2024 05:31 AM

‎May 14 2024 05:31 AM

Re: Facing issue with CEF collector via AMA

@walfindobayusetya yes the data source config file needed syntax to use same port as the ama listener. This resolved the issue. The data source is of another Cloud security toolset.

0 Likes
Reply
walfindobayusetya

‎May 15 2024 12:55 AM

‎May 15 2024 12:55 AM

Re: Facing issue with CEF collector via AMA

i know error this from here "/etc/rsyslog.d/10-azuremonitoragent-omfwd.conf" could you please help me to get same port beetwen AMA listener and data source?
0 Likes
Reply
logger2115

‎May 15 2024 06:20 AM

‎May 15 2024 06:20 AM

Re: Facing issue with CEF collector via AMA

I had to update vendor config to relfect the same port the the ama conf. Then all events were observed. Also, make sure firewall rules are allowed both tcp/udp.
0 Likes
Reply