Creating and onboarding a Syslog Forwarder into Sentinel (Azure VM) (Easy)

Introduction

The reason I decided to put this post up is simply because I've just lost the past 4 hours of my life to trying to forward syslog from an Azure VM into Microsoft Sentinel.

From what I've seen there's at least 4 different Microsoft documented ways of doing this, and the only one which seemed to work reliably is the one below.

Setting up the VM

I'll not be going into huge detail here.. But the steps are:

1. In Azure, create a new VM in the same region as the Log Analytics workspace (Ubuntu 22.04)
2. Ensure rsyslog is installed on the VM: sudo apt install rsyslog
3. sudo nano /etc/rsyslog.conf & uncomment each of the port 514 options
4. Restart rsyslog - sudo service rsyslog restart
5. At this stage we can point all the syslog hosts to the VM

Install Azure Monitor Agent on VM

As we're on Azure this is insanely easy. Head over to the Log Analytics Workspace sections and select the Sentinel Workspace.

1. Head Over to the "Agents Section" and select the Linux Servers Tab. Click on Data Collection Rules
2. Create a new data collection rule with the following settings

3. On the resources Tab click add resources and add the VM

4. Add a new data collection rule and for the Data Source select Linux Syslog

5. Set the destination as follows. Account or Namespace has to be the Sentinel workspace.

6. We can now go back to our Virtual Machine and check out the extensions section and Azure Monitor Agent will be installing for us. This will also do all the Rsyslog setup required to forward Syslog.

7. Give it 5-10 mins and head back to Log Analytics and query for Syslog and things should be visibile, I did notice here that it pulled in the local system logs quite quickly but the device I was forwarding from took about 30-40 mins to start working correctly.

8. After the 30-40 mins.. which can often become and hour or more you'll start seeing the other device Syslog traffic appearing in Log Analytics.