Skip to main content

Configure Nebula integration with Azure Sentinel

Updated: 

Effective December 14, 2023, the integration between Microsoft Azure Sentinel and Nebula has reached its End of Maintenance (EOM). While the integration remains available for use, we would like to inform you that it will no longer receive updates. We encourage you to exercise caution when using this integration, as any use will be at your own risk. We are committed to providing ongoing support for common product usage questions and access to our online articles.

To establish the connection, you need to configure the Log Analytics agent on a designated Linux server. In Nebula, set the Linux server as the syslog collector. The Log Analytics agent sends the syslog file to Azure Sentinel which gives you a view of Nebula security events. This article guides you on how to configure Nebula integration with Azure Sentinel.

Set up your Linux server

  1. Follow the instructions in Connect your external solution using syslog to install the syslog collector on your Linux server.
  2. After you've installed the Linux agent, open your Linux shell.
  3. View the following config file: 
    etc/rsyslog.d/95-omsagent.conf
  4. Verify the config file if it's the same as the following: 
    # OMS Syslog collection for workspace 3dd30d0a6-47e9-4264-984d-e13e7572c3fe
    *.* @127.0.0.1:25226
  5. View the following config file: 
    etc/rsyslog.conf
  6. Check if the modules within the config file are the same as the following: 
    #################
    #### MODULES ####
    #################

    module(load="imuxsock") # provides support for local system logging
    module(load="immark") # provides --MARK-- message capability
    
# provide UDP syslog reception
    module(load="imudp")
    input(type="imudp" port="514")

    # provides TCP syslog reception
    module(load="imtcp")

    #provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
  7. After saving the config file, run the following command to restart the syslog service: 
    systemctl restart rsyslog

Connect Nebula to Linux server

  1. Log in to your Nebula console.
  2. In the left navigation pane, click Configure > Syslog Logging.
  3. Click Syslog Logging.
  4. In the Syslog Communication Settings pop-up window, make the following entries:
    • IP Address/Host: IP or hostname of your Linux server
    • Port: 514
    • Protocol: Set to TCP or UDP.
    • Severity: Choose a severity from the list. This determines the severity of all Nebula events sent to Syslog.
    • Minutes: Set the time interval of the pushed data to Linux server. The Log Analytics agent takes an additional 20 minutes pushing the data to Linux server.
  5. Click Save.

 

Return to the table of contents.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more