立即与支持人员聊天
与支持团队交流

syslog-ng Store Box 6.9.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Limitations

This section describes the limitations for forwarding messages from syslog-ng Store Box (SSB) to the Microsoft Azure Sentinel cloud (Azure Sentinel).

  • Messages with HTTP 400 response code will be dropped

    If the message sent to Azure Sentinel is invalid, the Azure Sentinel messaging service will reply with an HTTP 400 response code.

    The message can be invalid for either of these reasons:

    • A required argument is missing from the message.

    • The message size exceeds limits.

    • The message itself has an invalid format.

    In these cases, SSB cannot successfully send the messages to Azure Sentinel. These messages would prevent SSB from sending further messages to the messaging service, therefore SSB must drop them.

  • Proxy limitations

    If you use a proxy, consider that only HTTP proxies are supported.

Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination

This section describes the first steps of configuring the Azure Sentinel destination of syslog-ng Store Box (SSB), that is, adding the new Azure Sentinel destination on the SSB web interface.

For information about configuring the authentication and workspace settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Authentication and workspace settings.

For information about configuring the advanced message parameters of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Advanced message parameters.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To create your custom Azure Sentinel destination on the SSB web interface

  1. Navigate to Log > Destinations, and select to create a new destination.

    Figure 155: Log > Destinations > <your-sentinel-destination> — Adding a new Sentinel destination

  2. Under Destination type, select Sentinel destination.

  3. After creating your Azure Sentinel destination, continue customizing it by configuring the following:

Configuring the Azure Sentinel destination: Authentication and workspace settings

This section describes configuring the authentication and workspace settings after Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination.

For information about configuring the advanced message parameters of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Advanced message parameters.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To configure the authentication and workspace settings of your Azure Sentinel destination

  1. Navigate to Log > Destination > <your-sentinel-destination> > Authentication and workspace settings.

    Figure 156: Log > Destinations > <your-sentinel-destination> — Configuring the authentication and workspace settings

  2. In the Workspace id field, copy the WORKSPACE ID from your Azure Sentinel side.

    NOTE: The workspace ID is a unique hexadecimal number provided by Microsoft, with the purpose of identifying your Sentinel instance.

  3. In the Auth secret field, copy the PRIMARY KEY from your Azure Sentinel side.

    NOTE: The primary key is a Base64-encoded secret provided by Microsoft, with the purpose of identifying your application.

  4. (Optional) Enable Use proxy, and in the Proxy field, enter the HTTP proxy address that you want to use.

    NOTE: If you have to use a proxy, consider that only HTTP proxies are supported.

Configuring the Azure Sentinel destination: Advanced message parameters

This section describes configuring the advanced message parameters of the Azure Sentinel destination after configuring the authentication and workspace settings.

For information about adding a new Azure Sentinel destination, see Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To configure the advanced message parameters of your Azure Sentinel destination

  1. Navigate to Log > Destination > <your-sentinel-destination> > Advanced message parameters.

    Figure 157: Log > Destinations > <your-sentinel-destination> — Configuring the advanced message parameters

  2. To customize the message format sent to Azure Sentinel, specify the name-value pairs of the outgoing message in JSON format in the Body field.

    CAUTION: Hazard of data loss!

    Make sure that the customized message format is accepted by Azure Sentinel. For invalid messages, SSB will receive an HTTP 400 response code and messages with such a response code will be dropped.

    For more information on dropping messages with HTTP 400 response code, see Limitations.

    For more information on the $(format-json) template function, see Manipulating messages > Customizing message format using macros and templates > Template functions of syslog-ng PE in the syslog-ng PE Administration Guide.

  3. In the Log type field, enter Syslog_CL.

    NOTE: For more information about log types on the Azure Sentinel side, and how they connect to the functionalities of the syslog-ng Premium Edition (syslog-ng PE) application (and, as a result, to SSB), see Log types in the syslog-ng PE Administration Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级