Plan and configure Syslog and CEF event collections

Plan and Configure Syslog and CEF Event Collections

Why It Is Important

Syslog and Common Event Format (CEF) collections are fundamental to security operations because they enable centralized logging from diverse sources including Linux servers, network devices, firewalls, and security appliances. For a Security Operations Analyst, understanding these collection methods is critical for achieving comprehensive visibility across the enterprise environment. Many legacy systems and network infrastructure components only support Syslog or CEF, making these protocols essential for complete security monitoring coverage in Microsoft Sentinel.

What It Is

Syslog is a standard protocol (RFC 5424) used for sending log messages across IP networks. It operates on UDP port 514 by default, though TCP and TLS-secured connections are also supported.

CEF (Common Event Format) is a standardized log format developed by ArcSight that structures security event data in a consistent, parseable format. CEF messages are transported over Syslog, making them easier to normalize and analyze.

In Microsoft Sentinel, these logs are collected using:
- Azure Monitor Agent (AMA) with Data Collection Rules (DCRs)
- Log Analytics Agent (legacy)
- Syslog forwarders for devices that cannot install agents

How It Works

Architecture Overview:
1. Source devices send Syslog or CEF messages to a log forwarder
2. The forwarder runs the Azure Monitor Agent or Log Analytics agent
3. Data Collection Rules define which facilities and severity levels to collect
4. Logs are ingested into the Syslog or CommonSecurityLog table in Log Analytics

Key Configuration Steps:
- Deploy a Linux-based log forwarder VM in Azure or on-premises
- Install the Azure Monitor Agent on the forwarder
- Create Data Collection Rules specifying Syslog facilities (auth, authpriv, cron, daemon, etc.) and minimum log levels
- Configure source devices to forward logs to the collector IP address
- For CEF, logs appear in the CommonSecurityLog table
- For standard Syslog, logs appear in the Syslog table

Syslog Facilities and Severities:
- Facilities: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, local0-7
- Severities: Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug

Exam Tips: Answering Questions on Plan and Configure Syslog and CEF Event Collections

Key Concepts to Remember:

1. Table Destinations: CEF logs go to CommonSecurityLog table; standard Syslog goes to Syslog table. This distinction appears frequently in exam questions.

2. Agent Selection: Azure Monitor Agent with DCRs is the current recommended approach. Log Analytics Agent is legacy but may still appear in scenarios.

3. Port Numbers: Default Syslog uses UDP 514. Secure Syslog uses TCP 6514 with TLS.

4. Forwarder Requirements: When devices cannot run agents themselves, a dedicated Linux forwarder is required. Know that this forwarder needs the agent installed.

5. Data Collection Rules: Understand that DCRs control which facilities and severity levels are collected. Lower severity settings include all higher severities.

6. CEF Format: Questions may test understanding that CEF is a structured format transported via Syslog, not a separate protocol.

Common Question Patterns:

- Scenario questions asking which table to query for firewall CEF logs (Answer: CommonSecurityLog)
- Questions about minimum infrastructure needed to collect from network appliances (Answer: Linux forwarder with agent)
- Configuration questions about filtering log severity levels in DCRs
- Troubleshooting scenarios where logs are not appearing in the expected table

Watch Out For:

- Questions that mix up Syslog and CEF table destinations
- Scenarios where the answer requires understanding that some devices need a forwarder rather than a local agent
- Questions testing knowledge of which agent type to use for new deployments versus legacy environments