How to design & deploy a Log Collector for MCAS
Вставка
- Опубліковано 28 лип 2024
- Table of Contents:
00:00:00 Introduction
00:30 Inject data into MCAS
02:22 How does a Log Collector work?
03:21 Prereqs
04:27 Network requirements
04:54 Supported firewalls/proxies
05:41 What is a Log Collector?
06:07 Log Collector performance
08:54 Deploy a Log Collector in Azure (Ubuntu)
11:40 Setup data sources in MCAS
12:37 Setup Log Collector in MCAS
13:35 Configure Docker as a Log Collector
15:49 Test the Log Collector
Resources: Log Collector docs: docs.microsoft.com/en-us/clou...
If you want to simulate a log collector, check this out: github.com/microsoft/Microsof...
Deck from video: www.slideshare.net/MattSosema... - Наука та технологія
Matt, that is a great video, thank you!
Little tip for anyone connecting a SonicWall to the Log Collector, ensure 'Display UTC in logs (instead of local time)' is switched on in Device>Settings>Time. Otherwise, the log collector won't parse the syslog files.
Very valuable video, Ive been scratching my head for quite some time wondering where I could get sample firewall logs. Guess what I'll be doing this weekend!!
Matt, thank you for the great content. I am watching your content for MCAS and John Savil''s content for Azure AD. These MCAS video's has greatly assisted. Please keep it up.
Thanks for sharing!
New setup looks good
Thanks! I'm trying! Welcome any feedback to make it better!
Hello Matt, thanks for the very informative video, it is very helpful. Need your help, I am in the process to setup Syslog TLS, my challenge is how do I encrypt the logs from the Bluecoat proxy to the logcollector and then from log collector to MCAS. Is there any article which you can advise.
Hi Matt, quick question, please can you share a video showing how to control Onboarding devices onto Intune with a Control Access policy for only onboarding those corporate assets and not personals.
Sure happy to!
@@MattSoseman Thanks for accepting my request. This is something I’ve seen a lot of folks struggling with and I haven’t had the chance to replicate/test in my tenant.
Hi Matt - Great Video, qq whats' the purpose of supplying on-prem private IP/FQDN of collector during Log Collector config in MCAS. Is there any inbound access required to collector from Azure?
Hi Matt, Thanks a lot for this informative video.
One doubt I have, where does the log parsing happen, at log collector server or at mcas cloud ??
It happens in the MCAS service. Log collector is only used to send logs from a firewall or proxy to MCAS to then be processed. If using Microsoft Defender for Endpoint then no need for a log collector, data will be transmitted directly
@@MattSoseman Thanks Matt, so I should assume anonymisation is happening in MCAS cloud itself. And is it a secure configuration wherein log collector is sending raw logs to mcas though internet (on ssl) ??
You can enable user anonymization under settings see docs for details. Logs are sent using secure protocols, see docs for details.
Hi Matt, Information is awesome , I have the following requirement, ingest logs from Splunk to log collector , How it is possible?
Do you have any information on it?
You can forward logs from your SIEM to the log collector if they are in the original format, but best practice is to forward logs directly from the firewalls to the log collector