How-To Install and Setup: Azure Arc, (AMA) Azure Monitor Agent and (DCR) Data Collection Rules for sending Linux Syslog to Sentinel for Threat Hunting and Security Monitoring with AuditD
With the retirement of Legacy Log analytics, this will go over the new way on how to send logs into Sentinel using Linux using Azure Arc and DCR. This give additional flexibility and control over our endpoints and which logs we want to send in to Sentinel.
VM Setup
Machine Prep
The first part is to prep our VM for Azure Arc.
This first thing is to download and install the needed tools as these are not generally found in the repos. You can change the url to fit your distro and select the latest version to install.
wget https://packages.microsoft.com/debian/11/prod/pool/main/a/azcmagent/Once we download it, we can install it.
dpkg -i azcmagent_1.40.02664.1492_amd64.debYou can always test to ensure it works by running azcmagent
Future prep. We will need python so you can map it now to avoid getting a python not found, map it. Or you can use either Python3 or 2.7 manually when we install the AMA Forwarder.
AuditD Install and Setup
First lets install AuditD, this varies by OS and the machine must not be a virtualized kernel as we need to hook into the kernel to log syscalls.
We can use “apt-get install auditd” for our Debian machine.
The file we will want to edit will be /etc/audit/audit.rules in this case. (will vary based on OS)
Reminder: AuditD logs EVERYTHING. We will go over how to properly tune and use AuditD in other videos and articles but for now lets logs everything.
We can add the following to the file and restart auditd “systemctl restart auditd”
-a exit,always -F arch=b64 -S all
-a exit,always -F arch=b32 -S allIf this is too noisy, consider the following:
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S allThis will log everything for 32Byte executables which you shouldn't be seeing anymore and probably an exploit or something weird.
The top will only log commands being execute for 64 byte executables which is much more manageable.
If you would like to deploy managed rules, you could search github for things like this https://github.com/Neo23x0/auditd for production environments.
Finally, we need to send AuditD logs to Syslog for collection.
Add the following to /etc/rsyslog.d/11-auditd.conf and restart rsyslog.
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitorAzure Arc Setup
Next is to navigate to Azure Arc under Azure and lets add a resource.
go to add machine:
Do generate script:
Configure your location variables
It will give you a script. Copy this script to a file named arc.sh and run it
Add “#!/bin/sh” to the top of the script and chmod u+x arc.sh and run ./arc.sh
This will then install the Arc Service. When it runs, it will ask you to open a URL. Open that URL, enter the code, sign in, and accept. The script will then finish installing.
You should now see your machine listed under Azure Arc
You can install the following extensions. The SSH is nice as it allows you to access SSH from within Azure. And the other will allow us to send logs into Sentinel
Sentinel Setup
Navigate to your Sentinel Instance, and then go to the AMA Data Connector for Syslog.
Next lets create a Data Collection Rule
Lets fill out the information
Lets select our Azure Arc Linux Machines
Because this a Threat Hunting and detection machine, we want to log everything and anything so we have all the visibility we need to build detections. We can always fine tune our logging locally once we narrow in on what we need for productions.
Keep going next till you create the DCR.
Next lets go back to the connector and download and install the AMA Forwarder:
Now go to Sentinel and check for logs
In a future article we will talk about tuning down and filtering what we don’t want or need along with a crash course in rsyslog/syslog mechanics.
We will talk about building a Parser next for these logs going in.
—
☕ Like what you read? Did it help you?
Send some coffee and love https://buymeacoffee.com/truvis :)
Your support helps pay for licenses, research & development, and other costs that allow me to bring you new guides and content!
❗If you are new to my content, be sure to follow/connect with me on all my other socials for new ideas and solutions to complicated real world problems and jump start your career! New content drops daily/weekly along with tips and tricks :)
👉 W: https://truv.is
👉 T: https://twitter.com/thattechkitten
👉 Y: https://www.youtube.com/@TRUValueInformationSecurity
👉 G: https://github.com/truvis
👉 L: https://www.linkedin.com/in/truvisthornton
👉 M: https://medium.com/@truvis.thornton
