Search code examples
azureazure-sentinelazure-monitor

Does anyone have implemented auxiliary logs deployment in sentinel?

I have tried implementing Auxiliary logs, but unable to ingest logs to auxiliary table, how it works? I have tried log ingestion via text and json file but unable to receive logs to log analytic workspace. Followed these blogs.

These blogs I followed, 1.Using text file- https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-log-text?tabs=portal, 2. Using JSON- https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-log-json .

**https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table-auxiliary ** I have created a custom auxiliary table, set DCE and DCR but am still unable to ingest logs to auxiliary table.

Solution

  • Usually, retrieving logs from workspace tables or any custom tables could take up to 10 to 20 minutes to load and data will be shown in the logs query.

    I have also tried through Portal and the logs are not properly visible as expected. Then, I have used a PowerShell & bash commands workaround as clearly explained in this blog.

    Firstly, I created a new data collection rule by calling the below PowerShell command Invoke-AzRestMethod as shown in the above blog.

    enter image description here

    Then after, to ingest the logs into the table, I have used below bash commands and obtained the access token first for ingestion.

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=$clientid&client_secret=$clientsecret&scope=https://monitor.azure.com/.default" \
  "https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token"

    enter image description here

    Once the token has been retrieved and saved it in a variable, I was passing a Json payload to the custom data collection rule endpoint URL as shown below. Refer the blog for more detailed information.

    payload='[
  {
    "TimeGenerated": "xxx",
    "Message": "xxxx",
        "Info": "xxx"
  }
]'
curl -vvvv -H "Authorization: Bearer $token" -H "Content-Type: application/json" --request POST -d "payload" $uri

    enter image description here

    By performing all the above operations, you can be able to view the logs information without any fail.