This document describes how to ingest data into Microsoft Sentinel via the Akamai Unified Log Streamer (ULS).
Here's an overview of the "processing" workflow
The currently recommended way is to feed ULS data into a UDP/TCP SYSLOG Server.
The Azure Monitor Agent collects the logs and ingests them into the Microsoft Sentinel platform.
ULS and SYSLOG daemon do not need to reside on the same host.
- Install ULS
- Install a SYSLOG server (if not already comes with your system)
- Install the Azure Monitor Agent (MS ARC AGENT might be required in order to install the Monitor Agent)
-
Syslog Server
Configure the Syslog server to accept logs via UDP or TCP (tcp is recommended)
Config Example forRSYSLOGServer# TCP PORT (rsyslogd) module(load="imtcp") input(type="imtcp" port="514")
-
ULS
Configure ULS to send the logs via OUTPUT TCP to the specified port (514 in that case). Example (fetching SIA/ETP THREAT logs):bin/uls.py --input ETP --feed THREAT --output TCP --hostname 10.9.8.7 --port 514
-
Azure
A Data Collection Rule needs to be deployed with the following configuration:- Syslog Facility (e.g. LOCAL1) pointing to the corresponding syslog facility the ULS streams the data into).
- Log Transformation (Log Parsing)
As an alternative, here is a working template that can be directly imported.
(A massive thanks to Joana from Microsoft who shared the template with us)