Step-by-Step Activate Azure Analytics Workspace & Azure Sentinel & Ingest Palo Alto CEF Logs

Introduction

This tutorial provides a step-by-step guide on activating Azure Analytics Workspace, setting up Azure Sentinel, and ingesting Palo Alto CEF logs. By following these instructions, you will create a virtual machine, configure logging, and ensure effective log management with Azure Sentinel.

Step 1: Enable Azure Log Analytics Workspace

1. Sign in to your Azure portal.
2. Navigate to "Create a resource."
3. Search for "Log Analytics Workspace" and select it.
4. Click on "Create" and fill in the required fields:
   • Subscription
   • Resource Group
   • Workspace Name
   • Region
5. Click "Review + create" and then "Create" to finalize.

Step 2: Activate Azure Sentinel

1. After creating the workspace, go to the Azure portal and search for "Azure Sentinel."
2. Click on "Add" and select the Log Analytics Workspace you just created.
3. Enable Azure Sentinel by clicking on "Add Azure Sentinel."

Step 3: Create a Virtual Machine (CentOS)

1. In the Azure portal, navigate to "Create a resource" and select "Virtual Machine."
2. Choose CentOS as the OS and configure your instance:
   • Size
   • Region
   • Authentication method (SSH key recommended)
3. Click "Review + create" and then "Create" to deploy the VM.

Step 4: Install Rsyslog

1. SSH into your CentOS VM.
2. Check if Rsyslog is already installed:

   rpm -q rsyslog
   yum list installed | grep rsyslog
   

3. If not installed, update your package list:

   sudo yum update
   

4. Install Rsyslog:

   sudo yum install rsyslog
   

5. Start the Rsyslog service:

   sudo systemctl start rsyslog
   

6. Enable Rsyslog to start on boot:

   sudo systemctl enable rsyslog
   

7. Verify the Rsyslog service status:

   sudo systemctl status rsyslog
   

Step 5: Configure Rsyslog

1. Open the Rsyslog configuration file:

   sudo vi /etc/rsyslog.conf
   

2. Add the following lines for UDP and TCP syslog reception:

   module(load="imudp")
   input(type="imudp" port="514")
   module(load="imtcp")
   input(type="imtcp" port="514")
   

3. Save and exit the editor.
4. Restart the Rsyslog service to apply changes:

   sudo systemctl restart rsyslog
   

Step 6: Configure Azure NSG

1. Go to your Azure portal and navigate to your VM’s Networking settings.
2. Add inbound security rules to allow traffic on the following ports:
   • Port 22 (SSH)
   • Port 514 (syslog)
   • Port 5114 (for other log sources)
   • ICMP (for ping testing)

Step 7: Configure Palo Alto Networks Device

1. Access your Palo Alto device.
2. Configure it to send CEF logs to the Rsyslog server.
   • Set the syslog server IP to your VM’s public IP.
   • Use the appropriate port (default is 514).
3. Save the configuration on the Palo Alto device.

Step 8: Monitor Logs

1. Check the logs to ensure that CEF messages are being received:

   sudo tail -f /var/log/messages
   

Step 9: Install Advanced Management Agent (AMA)

1. Follow the instructions from the Azure documentation to download and install the Advanced Management Agent on your Rsyslog server.
2. Ensure it is configured to collect logs from the Rsyslog service.

Step 10: Verify Sentinel Connector Status

1. In the Azure portal, navigate to Azure Sentinel.
2. Go to "Data connectors" and check the status of the CEF logs connection.
3. Run queries to ensure that logs from the Palo Alto device are being ingested properly.

Conclusion

You have successfully activated Azure Analytics Workspace, set up Azure Sentinel, and configured your Palo Alto device to send CEF logs to Rsyslog. For further monitoring and management, consider setting alerts in Azure Sentinel and regularly reviewing your log configurations. This setup enhances your security posture by providing comprehensive log analysis capabilities.