Connecting syslog-ng to azure sentinel

spiceuser-44kyp · 2020-05-06T17:09:16.000Z

Hello,

I have successfully setup syslog-ng on an azure ubuntu server. It is receiving logs successfully from my Meraki MX. I have also connected the Ubuntu VM to my workspace / Sentinel or rather i have installed the agent. With that said, i now have no idea how to get the logs sent to Sentinel. I am trying to follow Connect Syslog data to Microsoft Sentinel | Microsoft Learn , but i suck with linux and i have no idea what the facilities are in syslog-ng and their documentation shows it using rsyslog. I could probably setup rsyslog, but i was having issues and found syslog-ng easier to setup. So, what are the facilities and what is the format i use in azure sentinel to connect them?
Thank you!

fids74gf · 2020-05-06T23:05:58.000Z

The information here should get you up and running:

Collect and analyze Syslog messages in Azure Monitor - Azure Monitor | Microsoft Docs: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

spiceuser-44kyp · 2020-05-07T10:45:40.000Z

I saw this before but this confuses me:

The configuration file for syslog-ng is location at /etc/syslog-ng/syslog-ng.conf. Its default contents are shown below. This collects syslog messages sent from the local agent for all facilities and all severities.

Then configuration file is supposedly supposed to show all the facilities like - #OMS_facility = auth. I do not see anything like this in my config file whatsoever. Am i supposed to simply copy and paste all those facilities under the config files filters section?