Move prereqs to top to align to how-to pattern

cwatson-cat · cwatson-cat · commit 0118f4f589d8 · 2024-04-22T11:16:15.000-07:00
diff --git a/articles/sentinel/connect-cef-syslog-ama.md b/articles/sentinel/connect-cef-syslog-ama.md
@@ -13,47 +13,23 @@ ms.date: 04/22/2024
 
 This article describes how to use the **Syslog via AMA** and **Common Event Format (CEF) via AMA** connectors to quickly filter and ingest Syslog messages, including those in Common Event Format (CEF), from Linux machines and from network and security devices and appliances. To learn more about these data connectors, see [Syslog via AMA and Common Event Format (CEF) via AMA connectors for Microsoft Sentinel](cef-syslog-ama-overview.md).
 
-## Set up the data connectors
-
-# [Syslog](#tab/syslog)
-
-### Set up the Syslog via AMA connector
-
-The setup process for the Syslog via AMA connector has two parts:
-
-1. **Install the Azure Monitor Agent and create a Data Collection Rule (DCR)**.
-    - [Using the Azure portal](?tabs=syslog%2Cportal#install-the-ama-and-create-a-data-collection-rule-dcr)
-    - [Using the Azure Monitor Logs Ingestion API](?tabs=syslog%2Capi#install-the-ama-and-create-a-data-collection-rule-dcr)
-
-1. If you're collecting logs from other machines using a log forwarder, [**run the "installation" script**](#run-the-installation-script) on the log forwarder to configure the Syslog daemon to listen for messages from other machines, and to open the necessary local ports.
-
-# [CEF](#tab/cef)
-
-### Set up the Common Event Format (CEF) via AMA connector
-
-The setup process for the CEF via AMA connector has two parts:
-
-1. **Install the Azure Monitor Agent and create a Data Collection Rule (DCR)**.
-    - [Using the Azure portal](?tabs=cef%2Cportal#install-the-ama-and-create-a-data-collection-rule-dcr)
-    - [Using the Azure Monitor Logs Ingestion API](?tabs=cef%2Capi#install-the-ama-and-create-a-data-collection-rule-dcr)
+## Prerequisites
 
-1. [**Run the "installation" script**](#run-the-installation-script) on the log forwarder to configure the Syslog daemon to listen for messages from other machines, and to open the necessary local ports.
+Before you begin, you must have the resources configured and the appropriate permissions described in this section. 
 
----
+### Microsoft Sentinel prerequisites
 
-### Prerequisites
+- You must have the appropriate Microsoft Sentinel solution enabled&mdash;**Syslog** and/or **Common Event Format**. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
-- You must have the appropriate Microsoft Sentinel solution enabled&mdash;**Syslog** and/or **Common Event Format**.
-
-- Your Azure account must have the following roles/permissions:
+- Your Azure account must have the following Azure role-based access control (Azure RBAC) roles:
 
   | Built-in role | Scope | Reason |
   | ------------- | ----- | ------ |
   | - [Virtual Machine Contributor](../role-based-access-control/built-in-roles/compute.md#virtual-machine-contributor)<br>- [Azure Connected Machine<br>&nbsp;&nbsp;&nbsp;Resource Administrator](../role-based-access-control/built-in-roles/management-and-governance.md#azure-connected-machine-resource-administrator) | <li>Virtual machines<li>Virtual Machine Scale Sets<li>Azure Arc-enabled servers | To deploy the agent |
   | Any role that includes the action<br>*Microsoft.Resources/deployments/\** | <li>Subscription<li>Resource group<li>Existing data collection rule | To deploy Azure Resource Manager templates |
   | [Monitoring Contributor](../role-based-access-control/built-in-roles/monitor.md#monitoring-contributor) | <li>Subscription<li>Resource group<li>Existing data collection rule | To create or edit data collection rules |
 
-#### Log forwarder prerequisites
+### Log forwarder prerequisites
 
 If you're collecting messages from a log forwarder, the following additional prerequisites apply:
 
@@ -71,7 +47,7 @@ If you're collecting messages from a log forwarder, the following additional pre
 
 - Your log sources (your security devices and appliances) must be configured to send their log messages to the log forwarder's Syslog daemon instead of to their local Syslog daemon.
 
-#### Avoid data ingestion duplication
+### Avoid data ingestion duplication
 
 Using the same facility for both Syslog and CEF messages may result in data ingestion duplication between the CommonSecurityLog and Syslog tables. 
 
@@ -88,7 +64,7 @@ To avoid this scenario, use one of these methods:
     where ProcessName !contains "CEF"
     ```
 
-#### Log forwarder security considerations
+### Configure machine security
 
 Make sure to configure the machine's security according to your organization's security policy. For example, you can configure your network to align with your corporate network security policy and change the ports and protocols in the daemon to align with your requirements. To improve your machine security configuration, [secure your VM in Azure](../virtual-machines/security-policy.md), or review these [best practices for network security](../security/fundamentals/network-best-practices.md).
 
@@ -97,6 +73,36 @@ If your devices are sending Syslog and CEF logs over TLS (because, for example,
 - [Encrypt Syslog traffic with TLS – rsyslog](https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html)
 - [Encrypt log messages with TLS – syslog-ng](https://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/3.22/administration-guide/60#TOPIC-1209298)
 
+## Set up the data connectors
+
+# [Syslog](#tab/syslog)
+
+### Set up the Syslog via AMA connector
+
+The setup process for the Syslog via AMA connector has two parts:
+
+1. **Install the Azure Monitor Agent and create a Data Collection Rule (DCR)**.
+    - [Using the Azure portal](?tabs=syslog%2Cportal#install-the-ama-and-create-a-data-collection-rule-dcr)
+    - [Using the Azure Monitor Logs Ingestion API](?tabs=syslog%2Capi#install-the-ama-and-create-a-data-collection-rule-dcr)
+
+1. If you're collecting logs from other machines using a log forwarder, [**run the "installation" script**](#run-the-installation-script) on the log forwarder to configure the Syslog daemon to listen for messages from other machines, and to open the necessary local ports.
+
+# [CEF](#tab/cef)
+
+### Set up the Common Event Format (CEF) via AMA connector
+
+The setup process for the CEF via AMA connector has two parts:
+
+1. **Install the Azure Monitor Agent and create a Data Collection Rule (DCR)**.
+    - [Using the Azure portal](?tabs=cef%2Cportal#install-the-ama-and-create-a-data-collection-rule-dcr)
+    - [Using the Azure Monitor Logs Ingestion API](?tabs=cef%2Capi#install-the-ama-and-create-a-data-collection-rule-dcr)
+
+1. [**Run the "installation" script**](#run-the-installation-script) on the log forwarder to configure the Syslog daemon to listen for messages from other machines, and to open the necessary local ports.
+
+---
+
+
+
 ### Install the AMA and create a Data Collection Rule (DCR)
 
 # [Syslog](#tab/syslog)
