Verifying the AMA Connector

The AMA Connector verification confirms that logs from the Secret Server are collected and forwarded to Azure. This process includes running the installation script and testing.

To run the installation script:

  1. On the Connector page, copy the command line displayed under the Run the following command to install and apply the CEF collector section, and select the Copy icon to copy the code.

  2. Log in to the log forwarder machine where you just installed the AMA connector.

  3. Paste the code that you copied in the first step in order to launch the installation script.

The script configures the rsyslog or syslog-ng daemon to use the required protocol and restarts it. The script also opens port 514 to listen to incoming messages in both UDP and TCP protocols.

Testing the Connector

  1. In the prompt terminal, run the following command netstat –lnptv.
    This command validates that the syslog daemon is running on the UDP port and that the AMA is listening. You should see the rsyslog or syslog-ng daemon listening on port 514.

  2. Run the tcpdump -i any port 514 -A -vv & command in the background to capture messages sent from a logger or a connected device.

  3. After you complete the validation, the tcpdump should be stopped. Type fg and then select Ctrl+C.

  4. Next, verify that the Secret Server log is displayed in Azure Sentinel. In Microsoft Sentinel, open the Connector page.

  5. Select Go to Log Analytics.

    By default, the Logs page will be displayed.

  6. Enter the following query:
    Syslog
    | where TimeGenerated > ago(1h)

The Secret Server log will be displayed.

To verify that the connector is installed correctly, run the troubleshooting using the following command: sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef