Verifying the AMA Connector

The AMA Connector verification confirms that logs from the Secret Server are collected and forwarded to Azure. This process includes running the installation script and testing.

To run the installation script:

  1. On the Connector page, copy the command line displayed under the Run the following command to install and apply the Syslog collector section, and select the Copy icon to copy the code.

  2. Log in to the log forwarder machine where you just installed the AMA connector.

  3. Paste the code that you copied in the first step in order to launch the installation script.

The script configures the rsyslog or syslog-ng daemon to use the required protocol and restarts it. The script also opens port 514 to listen to incoming messages in both UDP and TCP protocols.

To test a Connector:

  1. In the prompt terminal, run the following command netstat –lnptv.
    This command validates that the syslog daemon is running on the UDP port and that the AMA is listening. You should see the rsyslog or syslog-ng daemon listening on port 514.

  2. Run the tcpdump -i any port 514 -A -vv & command in the background to capture messages sent from a logger or a connected device.

  3. After you complete the validation, the tcpdump should be stopped. Type fg and then select Ctrl+C.

  4. Next, verify that the Syslog from the Secret Server is displayed in Azure Sentinel. In Microsoft Sentinel, open the Connector page.

  5. Select Go to Log Analytics.

    By default, the Logs page will be displayed.

  6. Enter the following query:
    Syslog
    | where TimeGenerated > ago(1h)

The syslog from Secret Server will be displayed.