Exam SC-200 topic 3 question 36 discussion

Server 1 and Server 1 Using the same machine to forward both plain Syslog and CEF messages. 1) Server 1 Change to stop the Plain Syslog from also sending CEF logs to the forwarder: 2) Server 1 Change to disable the Log Analytics Agent from syncing with Microsoft Sentinel's Syslog configuration so that changes made in step 1 do not get overwritten. SW1 receives the data only from CEF1, CEF1 needs to send data collected in CEF message from Server1 and Plain Syslog from Server2. Seeing that Server 2 is configured to send plain syslog to CEF1, there is no log analytics agent on this server to duplicate data. Everything is happening on Server1. Big purple Note box, ctrl+f, search for "duplication of events". https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog

Server 1 & Server 1 : From the note at https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script : Using the same machine to forward both plain Syslog and CEF messages If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables: **On each source machine that sends logs to the forwarder in CEF format**, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this. You must run the following command **on those machines** to disable the synchronization of the agent with the Syslog configuration in Microsoft Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.

Question is now Deprecated Ignore question - Nov 2024 https://learn.microsoft.com/en-us/previous-versions/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script

I am confused by this question and the Microsoft docs aren't helping either. If you remove facilities to send CEF messages from Server1 and only send Syslog logs then how does CEF1 forward logs to SW1 as it is configured to only forward CEF format? Shouldn't the option be "From the Syslog configuration, remove facilities to send Syslog messages" or something like that?

Correct option

Both Server1. Using the same machine to forward both plain Syslog and CEF messages If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables: On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this. You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Microsoft Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten. sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'

Both are CEF1 What is the main goal? forward CEF, not the SYSLOG to workspace log analytics. This means both changes must be done on a log forwarder - CEF1. Why you would need to forward syslog to a log forwarder if you have a log analytics agent installed? check out the command in the documentation: sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable' Be careful in the documentation source machine is LOG FORWARDER (they might be many), cause one forwarder can handle up to 5000 eps or you have a segregated environment, multiple datacenters, etc https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog But in real life you would want to have a log forwarder for CEF and syslog, just create appropriate expression based rsyslog filtering rules and place them in a correct order.

Server1 and CEF1 is right answer.

This should be server 1 and 2? I think I dont understando the real meaning. Using the same machine to forward both plain Syslog and CEF messages If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables: a. On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this. b. You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Microsoft Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten. sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable' https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog

Correct Server1, CEF1

correct answer is Server1 and CEF1 for server1 : If you plan to use this log forwarder machine to forward Syslog messages as CEF, then to avoid the duplication of events to the Syslog and CommonSecurityLog tables: On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities used to send CEF messages. For CEF1: Install the Log Analytics agent for Linux (also known as the OMS agent) and configures it for the following purposes: • Listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226 Configures the built-in Linux Syslog daemon for the following purposes: • Listening for Syslog messages from your security solutions on TCP port 514 • Forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226 From <https://docs.microsoft.com/en-us/learn/modules/connect-common-event-format-logs-to-azure-sentinel/3-connect-your-external-solution-use-common-event-format-connector

- Server1 change - On each source machine that sends logs to the forwarder in CEF format (SERVER1), you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. - Server1 change - You must run the following command on those machines (the ones you ran it previously, i.e SERVER1) to disable the synchronization of the agent with the Syslog configuration in Microsoft Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script

Server 2 & Server 2 cf: the purple note on the documentation provided: https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog