I'm forwarding generic CEF logs to Azure Sentinel and I'm running into a similar issue as noted here:
https://github.com/MicrosoftDocs/azure-docs/issues/28909
I believe I have rsyslog configured correctly, when I'm listening on port 514 I see CEF logs however the Azure agent does not see anything hitting its listening port. When I restart rsyslog I do see the local syslog traffic on the Azure agent.
I followed the following article:
https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format
With rsyslog forwarding configuration as follows:
local4.debug @127.0.0.1:25226
Presuming its the facility level however I'm unable to change that on the syslog client, I've added several additional facilities such as syslog, user but to no avail.
Anyone aware of workarounds?
In /etc/rsyslog.d/security-config-omsagent.conf add the following:
. @127.0.0.1:25226
:rawmsg, regex, "CEF\|ASA" ~
There was also a script from Azure for testing both the rsyslog/syslog-ng and the oms agent:
wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py && sudo python cef_troubleshoot.py <workspace_id>