Chat now with support
Chat with Support

syslog-ng Store Box 7.2.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Prerequisites

This section describes the prerequisites for forwarding messages from syslog-ng Store Box (SSB) to the Microsoft Azure Sentinel cloud (Azure Sentinel).

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

Prerequisites to using the Azure Sentinel destination
  • WORKSPACE ID (which will function as the Workspace id on the SSB web interface)

  • PRIMARY KEY (which will function as the Auth secret on the SSB web interface)

NOTE: For more information about the WORKSPACE ID and the PRIMARY KEY on the Azure Sentinel side, see Getting the required credentials to configure syslog-ng PE as a Data Connector for Microsoft Azure Sentinel in the syslog-ng Premium Edition Administration Guide.

Limitations

This section describes the limitations for forwarding messages from syslog-ng Store Box (SSB) to the Microsoft Azure Sentinel cloud (Azure Sentinel).

  • Messages with HTTP 400 response code will be dropped

    If the message sent to Azure Sentinel is invalid, the Azure Sentinel messaging service will reply with an HTTP 400 response code.

    The message can be invalid for either of these reasons:

    • A required argument is missing from the message.

    • The message size exceeds limits.

    • The message itself has an invalid format.

    In these cases, SSB cannot successfully send the messages to Azure Sentinel. These messages would prevent SSB from sending further messages to the messaging service, therefore SSB must drop them.

  • Proxy limitations

    If you use a proxy, consider that only HTTP proxies are supported.

Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination

This section describes the first steps of configuring the Azure Sentinel destination of syslog-ng Store Box (SSB), that is, adding the new Azure Sentinel destination on the SSB web interface.

For information about configuring the authentication and workspace settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Authentication and workspace settings.

For information about configuring the advanced message parameters of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Advanced message parameters.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To create your custom Azure Sentinel destination on the SSB web interface

  1. Navigate to Log > Destinations, and select to create a new destination.

    Figure 175: Log > Destinations > <your-sentinel-destination> — Adding a new Sentinel destination

  2. Under Destination type, select Sentinel destination.

  3. After creating your Azure Sentinel destination, continue customizing it by configuring the following:

Configuring the Azure Sentinel destination: Authentication and workspace settings

This section describes configuring the authentication and workspace settings after Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination.

For information about configuring the advanced message parameters of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Advanced message parameters.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To configure the authentication and workspace settings of your Azure Sentinel destination

  1. Navigate to Log > Destination > <your-sentinel-destination> > Authentication and workspace settings.

    Figure 176: Log > Destinations > <your-sentinel-destination> — Configuring the authentication and workspace settings

  2. In the Workspace id field, copy the WORKSPACE ID from your Azure Sentinel side.

    NOTE: The workspace ID is a unique hexadecimal number provided by Microsoft, with the purpose of identifying your Sentinel instance.

  3. In the Auth secret field, copy the PRIMARY KEY from your Azure Sentinel side.

    NOTE: The primary key is a Base64-encoded secret provided by Microsoft, with the purpose of identifying your application.

  4. In the Domain field, set the Azure domain of the workspace. For example: ods.opinsights.azure.com for Azure Public, or ods.opinsights.azure.us for Azure Government. For more information, see the related Microsoft documentation.

  5. (Optional) Enable Use proxy, and in the Proxy field, enter the HTTP proxy address that you want to use.

    NOTE: If you have to use a proxy, consider that only HTTP proxies are supported.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating