Forward Syslog/Microsoft Security events data to a Log Analytics workspace from non-azure vm with Microsoft Sentinel by using Azure Monitor Agent.
STEP-1
- Open azure portal and search for Azure Arc.
- From Infrastructure select Machines > Add/create
- Add a machine
- Add a single server > Generate Script
- Complete the fields below to connect servers on-premise. Choose connectivity method: Public Endpoint.
- Click next and to manage and create custom views of your resources, assign tags.
- Click next.
- Download and Run the script on the server you are onboarding to Azure Arc. The script can also onboard multiple servers. Note that those servers will all be assigned to the same subscription, resource group, and Azure region. You need to run the script as the Local administrator on the server
This script will do the following :
- Download the agent from the Microsoft Download Center.
- Install the agent on the server.
- Create the Azure Arc-enabled server resource and associate it with the agent.
STEP-2
- Go to azure portal and search for Microsoft Sentinel.
- Select your workspace.
- Under content management blade choose content hub.
- Search for Syslog and install it.
- After installing go to data connectors under configuration blade.
- Choose Syslog via AMA and open connector page.
- Under configuration section click create data collection rule.
- Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all of your resources.
- Choose a set of machines to collect data from. This set of machines will replace any previous selection, make sure to re-select any you’d like to keep. The Azure Monitor Agent will automatically be installed.
Select which data source type and the data to collect for your resource(s).
- Run the following command to install and apply the Syslog collector.
- To collect logs generated on a different machine run this script on the machine where the agent is installed.
