Step-by-Step Activate Azure Analytics Workspace & Azure Sentinel & Ingest Palo Alto CEF Logs

Подписаться 138

Просмотров 3,3 тыс.

50% 1

Solution:
Enable Azure Analytical Space
Activate Azure Sentinel
Create Virtual Machine (CentOS) and Install Log Forwarder (Rsyslog)
Configure Logging from Palo Alto Networks Device (On-premise) to Send CEF Logs to Rsyslog
Install Advanced Management Agent (AMA)
Monitor Logs
Require Resource:
1. Azure Free Account ($200 Credit)
2. Palo Alto Firewall
----------------------------------------------------------------
DEPLOYMENT STEPS
00:00 - 01:19 - Intro
01:20 - 04:30 - Enable Azure Log Analytical Work Space
04:31 - 06:53 - Activate Azure Sentinel, Map with our Log Analytical Work Space
06:54 - 14:20 - Create Virtual Machine (CentOS) and Install Log Forwarder (Rsyslog)
14:20 - 16:42 - Configure Azure NSG Set up and test Connectivity (Port 22, 514, 5114, ICMP, etc)
16:43 - 31:30 - Installing R-Syslog and Tuning R-Syslog
31:31 - 34:30 - Configure Logging from Palo Alto Networks OnPrem to Send CEF Logs to Rsyslog
34:31 - 38:14 - Monitor Log and Set up SELINUX, Restart service
38:15 - 38:26 - Verify Palo alto service route
38:27 - 39:07 - Monitor Log again , Verify Log info
39:08 - 44:05 - Install CEF and Palo alto connector from azure content hub and create DCR
44:06 - 45:33 - Install Advanced Management Agent (AMA) on R-Syslog
45:34 - 49:26 - Verify Sentinel Connector Status and Query CEF Log retrieving from Palo alto
----------------------------------------------------------------
Command List ##
Step 1: Check if Rsyslog is Already Installed
#rpm -q rsyslog
#yum list installed | grep rsyslog
Step 2: Update Your Package List
This is good practice before installing any new software.
#sudo yum update
Step 3: Install Rsyslog
If Rsyslog is not already installed, you can install it using yum.
#sudo yum install rsyslog
Step 4: Start the Rsyslog Service
Once the installation is complete, you'll want to start the Rsyslog service.
#sudo systemctl start rsyslog
Step 5: Enable Rsyslog at Boot
If you want Rsyslog to start whenever your system boots, enable it as follows:
#sudo systemctl enable rsyslog
Step 6: Verify the Service Status
To ensure that Rsyslog is running without any issues, you can check its status.
#sudo systemctl status rsyslog
Step 7: Configure Rsyslog (Optional)
Provides UDP syslog reception
for parameters see www.rsyslog.com/doc/imudp.html
module(load=""imudp"") # needs to be done just once
input(type=""imudp"" port=""514"")
Provides TCP syslog reception
for parameters see www.rsyslog.com/doc/imtcp.html
module(load=""imtcp"") # needs to be done just once
input(type=""imtcp"" port=""514"")"
The main configuration file for Rsyslog is located at /etc/rsyslog.conf. You can edit this file to customize Rsyslog's behavior.
VI push insert , EXIT ESC :wq, :q!, :q
#sudo vi /etc/rsyslog.conf
Make your changes, then save and exit the text editor.
Step 8: Restart the Rsyslog Service
Whenever you make changes to the Rsyslog configuration, you'll need to restart the service.
#sudo systemctl restart rsyslog
Step 9: Test the Configuration (Optional)
You can test whether Rsyslog is properly configured by generating a log message.
logger "This is a test log message"
Then, you can check the logs to see if your message appears:
#sudo tail -f /var/log/messages
A list of useful commands for t-shooting R-Syslog Server,
Open Port 514 for TCP
#sudo systemctl start firewalld
#sudo systemctl enable firewalld
#sudo systemctl status firewalld
#sudo firewall-cmd --add-port=514/tcp --permanent
#sudo firewall-cmd --add-port=514/udp --permanent
#sudo firewall-cmd --reload
#sudo firewall-cmd --list-all
Install NTP
#sudo yum install ntp
#sudo systemctl enable ntpd
#sudo systemctl start ntpd
Configure Date and Time to Bangkok Format
#timedatectl list-timezones | grep -i bangkok
#sudo timedatectl set-timezone Asia/Bangkok
#sudo timedatectl set-timezone Asia/Bangkok
#timedatectl status
#sudo timedatectl set-ntp true
Checking status Port 514
netstat -an | grep 514
sudo dnf install net-tools
Checking network status
ip -s route
ip route show table local
ip link show
ip addr show …
learn.microsoft.com/en-us/azu...
learn.microsoft.com/en-us/azu...
learn.microsoft.com/en-us/azu...
----------------------------------------------------------------

Опубликовано:

13 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 13

@TheNetworkViking 9 месяцев назад

Your content is really very helpful. I really appreciate you sharing it with all of us. 🙌🙌🙌🙌

@TechDevSec 9 месяцев назад

Thanks so much for your comment it means a lot.

@imwhtim 7 месяцев назад

Brother request you to make more such video on Microsoft Sentinel, there are rare videos on Sentinel that that carries indepth information. Please brother request to create more. This is the bestest best video on sentinel so far i have seen. You work is awesome also the way you explained. Point to point.

@TechDevSec 6 месяцев назад

Thank you for your kind words. Creating a deep drive video is time-consuming, and I strive to make them more efficient and user-friendly. I'll publish more content on Sentinel as soon as I can, my friend.

@imwhtim 6 месяцев назад

@@TechDevSec this will be a greatest help for the society. Trust me brother even paid courses dont have this content.

@amanjha2289 4 месяца назад

boss we need more video like this

@wearewhoweare6602 8 месяцев назад

Great Vid Boss... Kindly do more of sentinel Vid for the community. Please Boss we the English speaking community is requesting this 😢😢😢😢😢😢

@RaviAmardeepKucheria 6 месяцев назад

Great video. In addition could you share how we can rotate logs using logrotate service on the cef server for /var/log/messages. Also, is the TimeGenerated value for PA logs equal to ReceiptTime value, if not is there a workaround for this issue?

@arvindthakur8987 7 месяцев назад

Please publish more content on sentinel kind of ninja training content

@TechDevSec 6 месяцев назад

will do!

@wearewhoweare6602 8 месяцев назад

However, you did not drop all the commands and links you mentioned in the video

@TechDevSec 8 месяцев назад

Thank you for your comment. I've posted a command list and a Microsoft link in the video's description. Creating technical videos is time-consuming, and I aim to make them more efficient and user-friendly. I will be publishing more content on Sentinel soon.

@wearewhoweare6602 8 месяцев назад

@@TechDevSec Thank you very much Boss man...