Solution:
Enable Azure Analytical Space
Activate Azure Sentinel
Create Virtual Machine (CentOS) and Install Log Forwarder (Rsyslog)
Configure Logging from Palo Alto Networks Device (On-premise) to Send CEF Logs to Rsyslog
Install Advanced Management Agent (AMA)
Monitor Logs
Require Resource:
1. Azure Free Account ($200 Credit)
2. Palo Alto Firewall
----------------------------------------------------------------
DEPLOYMENT STEPS
00:00 - 01:19 - Intro
01:20 - 04:30 - Enable Azure Log Analytical Work Space
04:31 - 06:53 - Activate Azure Sentinel, Map with our Log Analytical Work Space
06:54 - 14:20 - Create Virtual Machine (CentOS) and Install Log Forwarder (Rsyslog)
14:20 - 16:42 - Configure Azure NSG Set up and test Connectivity (Port 22, 514, 5114, ICMP, etc)
16:43 - 31:30 - Installing R-Syslog and Tuning R-Syslog
31:31 - 34:30 - Configure Logging from Palo Alto Networks OnPrem to Send CEF Logs to Rsyslog
34:31 - 38:14 - Monitor Log and Set up SELINUX, Restart service
38:15 - 38:26 - Verify Palo alto service route
38:27 - 39:07 - Monitor Log again , Verify Log info
39:08 - 44:05 - Install CEF and Palo alto connector from azure content hub and create DCR
44:06 - 45:33 - Install Advanced Management Agent (AMA) on R-Syslog
45:34 - 49:26 - Verify Sentinel Connector Status and Query CEF Log retrieving from Palo alto
----------------------------------------------------------------
Command List ##
Step 1: Check if Rsyslog is Already Installed
#rpm -q rsyslog
#yum list installed | grep rsyslog
Step 2: Update Your Package List
This is good practice before installing any new software.
#sudo yum update
Step 3: Install Rsyslog
If Rsyslog is not already installed, you can install it using yum.
#sudo yum install rsyslog
Step 4: Start the Rsyslog Service
Once the installation is complete, you'll want to start the Rsyslog service.
#sudo systemctl start rsyslog
Step 5: Enable Rsyslog at Boot
If you want Rsyslog to start whenever your system boots, enable it as follows:
#sudo systemctl enable rsyslog
Step 6: Verify the Service Status
To ensure that Rsyslog is running without any issues, you can check its status.
#sudo systemctl status rsyslog
Step 7: Configure Rsyslog (Optional)
Provides UDP syslog reception
for parameters see www.rsyslog.com/doc/imudp.html
module(load=""imudp"") # needs to be done just once
input(type=""imudp"" port=""514"")
Provides TCP syslog reception
for parameters see www.rsyslog.com/doc/imtcp.html
module(load=""imtcp"") # needs to be done just once
input(type=""imtcp"" port=""514"")"
The main configuration file for Rsyslog is located at /etc/rsyslog.conf. You can edit this file to customize Rsyslog's behavior.
VI push insert , EXIT ESC :wq, :q!, :q
#sudo vi /etc/rsyslog.conf
Make your changes, then save and exit the text editor.
Step 8: Restart the Rsyslog Service
Whenever you make changes to the Rsyslog configuration, you'll need to restart the service.
#sudo systemctl restart rsyslog
Step 9: Test the Configuration (Optional)
You can test whether Rsyslog is properly configured by generating a log message.
logger "This is a test log message"
Then, you can check the logs to see if your message appears:
#sudo tail -f /var/log/messages
A list of useful commands for t-shooting R-Syslog Server,
Open Port 514 for TCP
#sudo systemctl start firewalld
#sudo systemctl enable firewalld
#sudo systemctl status firewalld
#sudo firewall-cmd --add-port=514/tcp --permanent
#sudo firewall-cmd --add-port=514/udp --permanent
#sudo firewall-cmd --reload
#sudo firewall-cmd --list-all
Install NTP
#sudo yum install ntp
#sudo systemctl enable ntpd
#sudo systemctl start ntpd
Configure Date and Time to Bangkok Format
#timedatectl list-timezones | grep -i bangkok
#sudo timedatectl set-timezone Asia/Bangkok
#sudo timedatectl set-timezone Asia/Bangkok
#timedatectl status
#sudo timedatectl set-ntp true
Checking status Port 514
netstat -an | grep 514
sudo dnf install net-tools
Checking network status
ip -s route
ip route show table local
ip link show
ip addr show …
learn.microsoft.com/en-us/azu...
learn.microsoft.com/en-us/azu...
learn.microsoft.com/en-us/azu...
----------------------------------------------------------------
13 июл 2024