Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

New connector template for SyslogAma

This commit is contained in:
haim-na 2024-01-04 13:49:27 +02:00 коммит произвёл GitHub
Родитель d264cdabc2
Коммит 02278d9a19
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 107 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

107
Solutions/Syslog/Data Connectors/template_SyslogAma.json Normal file
Просмотреть файл

@ -0,0 +1,107 @@
{
"id": "SyslogAma",
"title": "Syslog via AMA (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Syslog",
"baseQuery": "Syslog"
}
],
"sampleQueries": [
{
"description": "Last 1000 generated events",
"query": "Syslog\n | top 1000 by TimeGenerated"
},
{
"description": "All events by facility except for cron",
"query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\""
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Syslog | extend TimeGenerated = ingestion_time() \n | where TimeGenerated > ago(7d) \n | summarize by _ResourceId, bin(TimeGenerated, 1m) \n | join kind=inner (Heartbeat \n | where TimeGenerated > ago(7d) \n | where Category == \"Azure Monitor Agent\" \n | summarize by _ResourceId, bin(TimeGenerated, 1m)) on _ResourceId, TimeGenerated \n | summarize LastLogReceived = max(TimeGenerated) \n | project IsConnected = LastLogReceived > ago(7d) "
]
}
],
"dataTypes": [
{
"name": "Syslog",
"lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 2,
"isPreview": true,
"featureFlag": {
"feature": "SyslogAma",
"featureStates": {
"Dogfood": "PrivatePreview",
"MPAC": "PrivatePreview",
"Prod": "PrivatePreview"
}
}
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces/datasources",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace data sources",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
}
]
},
"instructionSteps": [
{
"title": "Enable data collection rule",
"description": "You can collect Syslog events from your local machine by installing the agent on it. You can also collect Syslog generated on a different source by running the installation script below on the local machine, where the agent is installed.\n\n> Syslog logs are collected only from **Linux** agents.",
"instructions": [
{
"type": "SysLogAma"
}
]
},
{
"instructions": [
{
"parameters": {
"linkType": "OpenCreateDataCollectionRule",
"dataCollectionRuleType": 6
},
"type": "InstallAgent"
}
]
},
{
"title": "Run the following command to install and apply the Syslog collector:",
"description": "> To collect logs generated on a different machine run this script on the machine where the agent is installed.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "",
"value": "sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python Forwarder_AMA_installer.py"
},
"type": "CopyableLabel"
}
]
}
]
}