Advertisement
Ok so, this might be a long one.<\/p>\n
We have Trend Micro WFBSS that we recently enabled the API for log forwarding, downloaded the script and set it up “correctly” for log collection and storage.<\/p>\n
This script is to collect logs from our subscription and save it to /var/log/trendmicro. Then in which case a Microsoft Sentinel Syslog collector retrieves it for analysis. Now, what I would guess is that Sentinel syslog data connector uses rsyslog in Red Hat (our central logging server) to retrieve those logs.<\/p>\n
My question is, how would I configure /etc/rsyslog.conf in order to: retrieve trend micro logs from our subscription, save them in /var/log/trendmicro and then have rsyslog send it to Microsoft Sentinel?<\/p>","upvoteCount":6,"answerCount":3,"datePublished":"2022-08-18T12:05:33.000Z","author":{"@type":"Person","name":"lsuperstarl","url":"https://community.spiceworks.com/u/lsuperstarl"},"suggestedAnswer":[{"@type":"Answer","text":"
Ok so, this might be a long one.<\/p>\n
We have Trend Micro WFBSS that we recently enabled the API for log forwarding, downloaded the script and set it up “correctly” for log collection and storage.<\/p>\n
This script is to collect logs from our subscription and save it to /var/log/trendmicro. Then in which case a Microsoft Sentinel Syslog collector retrieves it for analysis. Now, what I would guess is that Sentinel syslog data connector uses rsyslog in Red Hat (our central logging server) to retrieve those logs.<\/p>\n
My question is, how would I configure /etc/rsyslog.conf in order to: retrieve trend micro logs from our subscription, save them in /var/log/trendmicro and then have rsyslog send it to Microsoft Sentinel?<\/p>","upvoteCount":6,"datePublished":"2022-08-18T12:05:33.000Z","url":"https://community.spiceworks.com/t/configure-rsyslog-for-log-forwardng/933907/1","author":{"@type":"Person","name":"lsuperstarl","url":"https://community.spiceworks.com/u/lsuperstarl"}},{"@type":"Answer","text":"
I am not certain but I would think you could create a custom drop in config in the path of /etc/rsyslog.d/ so it is separate from the main config because if you set the target in there, it will forward all logs. So the drop in will only target trend micro logs with the rule defined<\/p>\n
trend.* /var/log/trendmicro<\/p>\n
And add
\nTarget=\" Microsoft Sentinel \" Port=“XXX” Protocol=“tcp”) for forwarding<\/p>\n
action(type=“omfwd”<\/p>\n
#queue<\/span>.filename=“fwdRule1” # unique name prefix for spool files Target=“remote_host” Port=“XXX” Protocol=“tcp”)<\/p>","upvoteCount":1,"datePublished":"2022-08-18T12:38:32.000Z","url":"https://community.spiceworks.com/t/configure-rsyslog-for-log-forwardng/933907/2","author":{"@type":"Person","name":"vitob","url":"https://community.spiceworks.com/u/vitob"}},{"@type":"Answer","text":" Welcome to Spiceworks and its community, a community of IT professionals for IT professionals with a focus on SME. And please don’t forget to read the recommendations of our field guides, especially those on getting started<\/a> and on pos(t)ing good questions, including the helpful references<\/a> found on the bottom of its web page.<\/p>\n
\n#queue<\/span>.maxdiskspace=“1g” # 1gb space limit (use as much as possible)
\n#queue<\/span>.saveonshutdown=“on” # save messages to disk on shutdown
\n#queue<\/span>.type=“LinkedList” # run asynchronously
\n#action<\/span>.resumeRetryCount=“-1” # infinite retries if host is down<\/p>\n<\/a>Remote Logging (we use TCP for reliable delivery)<\/h1>\n
<\/a>remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514<\/h1>\n