This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this  stage.

First, the onprem machine needs to be onboarded in Azure Arc.

You can read more about this in one of my earlier blog posts (see link).

Next, a data collection rule needs to be created.

At this stage, we only want messages from the user facility. So we set all other facilities to "none" and "LOG_User" to "LOG_INFO".

Now you can choose the right logging destination. I assume that there is already a Log Analytic Workspace available.

Creating a Data Collection Rule triggers the installation of the AMA Agent via the ARC Agent (Azure Connected Machine Agent).

As a result you will find a new heartbeat table in your Log Log Analytic Workspace.

Consequently, there is a connection between the new delivered agent and Azure.

But how do we get syslog info now?

Again, I already created a blogpost where I discuss how to set up an rsyslog server (see link). So I won't go into more detail here.

In a nutshell, I just set up an rsyslogserver that listens via port udp/tcp 514 and only allows connections from (localhost), in other words, from itself.

Nun habe ich dann einfach eine Testnachricht versendet indem ich folgenden Befehl verwendet habe.

echo "<14>Test UDP syslog message" >> /dev/udp/

Lastly, I tried to query the syslog table, which should now be present.

Expected Result:


Using the Azure Monitor Agent to Send systemd Journal Logs through Syslog
I recently talked about sending systemd journal logs to Azure Monitor, and that blog post focused on using the OMS agent to collect logs from a systemd unit and send them to Azure Monitor through syslog.

Generating test syslog messages from the command line on an RSA Security Analytics Linux appliance
Article Number 000031260 Applies To RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics Server, Decoder, Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), Archiver, Malware Analysis RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x Platform: CentOS O/S Version:…