CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion

Log collection from many security appliances and devices is supported by the Common Event Format (CEF) via AMA data connector in Microsoft Sentinel. This article lists provider-supplied installation instructions for specific security appliances and devices that use this data connector. Contact the provider for updates, more information, or where information is unavailable for your security appliance or device.

To ingest data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. Those steps include the installation of the Common Event Format (CEF) via AMA data connector in Microsoft Sentinel. After the connector is installed, use the instructions appropriate to your device, shown later in this article, to complete the setup.

For more information about the related Microsoft Sentinel solution for each of these appliances or devices, review the solution from the Content hub in Microsoft Sentinel.

Citrix Web App Firewall

Configure Citrix WAF to send syslog messages in CEF format to the proxy machine.

  • Find guides to configure WAF and CEF logs from Citrix Support.

  • Follow this guide to forward the logs to proxy. Make sure you to send the logs to port 514 TCP on the Linux machine's IP address.

ExtraHop Reveal(x)

Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.

  1. Follow the directions to install the ExtraHop Detection SIEM Connector bundle on your Reveal(x) system. The SIEM Connector is required for this integration.
  2. Enable the trigger for ExtraHop Detection SIEM Connector - CEF.
  3. Update the trigger with the ODS syslog targets you created. 

The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.

F5 Networks

Configure F5 to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

Go to F5 Configuring Application Security Event Logging, follow the instructions to set up remote logging, using the following guidelines:

  1. Set the Remote storage type to CEF.
  2. Set the Protocol setting to UDP.
  3. Set the IP address to the syslog server IP address.
  4. Set the port number to 514, or the port your agent uses.
  5. Set the facility to the one that you configured in the syslog agent. By default, the agent sets this value to local4.
  6. You can set the Maximum Query String Size to be the same as you configured.

PaloAlto-PAN-OS

Configure Palo Alto Networks to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

  1. Go to configure Palo Alto Networks NGFW for sending CEF events.

  2. Go to Palo Alto CEF Configuration and Palo Alto Configure Syslog Monitoring steps 2, 3, choose your version, and follow the instructions using the following guidelines:

    1. Set the Syslog server format to BSD.
    2. Copy the text to an editor and remove any characters that might break the log format before pasting it. The copy/paste operations from the PDF might change the text and insert random characters.

Learn more

PaloAltoCDL

Follow the instructions to configure logs forwarding from Cortex Data Lake to a syslog Server.

Trend Micro Deep Security

Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine's IP address.

  1. Forward Trend Micro Deep Security events to the syslog agent.
  2. Define a new syslog Configuration that uses the CEF format by referencing this knowledge article for additional information.
  3. Configure the Deep Security Manager to use this new configuration to forward events to the syslog agent using these instructions.
  4. Make sure to save the TrendMicroDeepSecurity function so that it queries the Trend Micro Deep Security data properly.

Zscaler

Set Zscaler product to send syslog messages in CEF format to your syslog agent. Make sure you to send the logs on port 514 TCP.

For more information, see Zscaler Microsoft Sentinel integration guide.