Reviewing

Author: limwainstein

articles/sentinel/TOC.yml

@@ -262,9 +262,10 @@
         href: connect-azure-windows-microsoft-services.md
       - name: AMA migration for Microsoft Sentinel
         href: ama-migrate.md
-      - name: CEF/Syslog options
-        href: connect-cef-syslog-options.md
+      - name: CEF/Syslog        
         items:
+        - name: CEF/Syslog options
+          href: connect-cef-syslog-options.md
         - name: CEF via AMA
           href: connect-cef-ama.md
         - name: Syslog via AMA

articles/sentinel/connect-cef-syslog-options.md

@@ -17,8 +17,8 @@ In this article, you can find the relevant option for streaming and filtering lo
 |Scenario  |Options  |
 |---------|---------|
 |Are your logs in raw Syslog, in Common Event Format (CEF), or both?   |• [Syslog](connect-syslog.md)<br>• [CEF](connect-cef-ama.md)<br>• [CEF and Syslog](connect-cef-syslog.md)         |
-|Are you sending logs to Microsoft Sentinel directly from your device/appliance, or via a log forwarder?   |**Send logs directly via CEF**:<br>• To send logs directly with the [new AMA connector](connect-cef-ama.md), skip the Configure a log forwarder step.<br> • To send logs directly via CEF with the [legacy connector](connect-common-event-format.md), skip the Designate a log forwarder and install the Log Analytics agent step.<br><br>**Send logs [directly via Syslog](connect-syslog.md)**<br><br>**[Configure a log forwarder](connect-log-forwarder.md)** |
-|Are you sending logs using the new Azure Monitor agent (AMA) or the legacy Log Analytics agent?     |**CEF**:<br>• [New AMA connector](connect-cef-ama.md)<br>• [legacy agent](connect-common-event-format.md)<br><br>**Syslog**:<br>• To ingest logs over Syslog with the AMA, [create a DCR](/azure-monitor/essentials/data-collection-rule-structure).<br>• Ingest logs via the [legacy agent](connect-common-event-format.md).       |
+|Are you sending logs to Microsoft Sentinel directly from your device/appliance, or via a log forwarder?   |**Send logs directly via CEF**:<br><br>• To send logs directly with the [new AMA connector](connect-cef-ama.md), skip the Configure a log forwarder step.<br> • To send logs directly via CEF with the [legacy connector](connect-common-event-format.md), skip the Designate a log forwarder and install the Log Analytics agent step.<br><br>**Send logs [directly via Syslog](connect-syslog.md)**<br><br>**[Configure a log forwarder](connect-log-forwarder.md)** |
+|Are you sending logs using the new Azure Monitor agent (AMA) or the legacy Log Analytics agent?     |**CEF**:<br>• [New AMA connector](connect-cef-ama.md)<br>• [Legacy agent](connect-common-event-format.md)<br><br>**Syslog**:<br>• To ingest logs over Syslog with the AMA, [create a DCR](../azure-monitor/essentials/data-collection-rule-structure.md).<br>• Ingest logs via the [legacy agent](connect-common-event-format.md).       |
 
 ## Next steps
 

articles/sentinel/connect-cef-syslog.md

@@ -10,9 +10,9 @@ ms.author: lwainstein
 
 # Stream logs in both the CEF and Syslog format
 
-This article describes how to stream and filter logs in both the CEF and Syslog format to your Microsoft Sentinel workspace from multiple on-premises appliances. This process is relevant when your organization uses different appliances that ingest logs over both CEF and Syslog, and you want to ingest both types of data without duplications. 
+This article describes how to stream and filter logs in both the CEF and Syslog format to your Microsoft Sentinel workspace from multiple on-premises appliances. If your organization uses some appliances that ingest logs over CEF and other appliances that ingest logs over Syslog, you can use this process to ingest both types of data without duplications. 
 
-During this process, you use the Azure Monitor Agent (AMA), which uses Data Collection Rules (DCRs). With DCRs, you can filter the logs before they're ingested, for quicker upload, efficient analysis, and querying. Data Collection Rules (DCRs) to filter the logs before they're ingested, for quicker upload, efficient analysis, and querying.
+During this process, you use the Azure Monitor Agent (AMA) and Data Collection Rules (DCRs). With DCRs, you can filter the logs before they're ingested, for quicker upload, efficient analysis, and querying. Data Collection Rules (DCRs) to filter the logs before they're ingested, for quicker upload, efficient analysis, and querying.
 
 > [!IMPORTANT]
 >
@@ -34,14 +34,14 @@ Before you begin, verify that you have:
 
 ## Separate your facilities
 
-To avoid data duplication, each DCR you configure in the next steps uses a separate facility for CEF and Syslog. To ensure that data isn't duplicated, make sure that the appliance that sends Syslog data and the appliance that sends CEF data do so on different facilities, for example `local1` ad `local2`. 
+To avoid data duplication, make sure that the appliance that sends Syslog data and the appliance that sends CEF data do so on different facilities, for example `local1` ad `local2`. Make sure that each DCR you configure in the next steps uses the relevant facility for CEF or Syslog respectively.
 
 ## Create a DCR for your CEF logs
 
-- Create the DCR: via the UI:
+- Create the DCR via the UI:
     1. [Open the connector page and create the DCR](connect-cef-ama.md#open-the-connector-page-and-create-the-dcr).
-    1. [Define resources (VMs)](connect-cef-ama.md#define-resources-vms)
-    1. [Select the data source type and create the DCR](connect-cef-ama.md#select-the-data-source-type-and-create-the-dcr)
+    1. [Define resources (VMs)](connect-cef-ama.md#define-resources-vms).
+    1. [Select the data source type and create the DCR](connect-cef-ama.md#select-the-data-source-type-and-create-the-dcr).
 
         > [!NOTE]
         > **Using the same machine to forward both plain Syslog *and* CEF messages**
@@ -50,17 +50,17 @@ To avoid data duplication, each DCR you configure in the next steps uses a separ
         >
         > On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog.
 
-    1. [Run the installation script](connect-cef-ama.md)
+    1. [Run the installation script](connect-cef-ama.md).
 
 - Create the DCR via the API:
-    1. [Create the request URL and header](connect-cef-ama.md#request-url-and-header) 
-    1. [Create the request body](connect-cef-ama.md#request-body)
+    1. [Create the request URL and header](connect-cef-ama.md#request-url-and-header). 
+    1. [Create the request body](connect-cef-ama.md#request-body).
 
-        See [examples of facilities and log levels sections](connect-cef-ama.md#examples-of-facilities-and-log-levels-sections).
+    See [examples of facilities and log levels sections](connect-cef-ama.md#examples-of-facilities-and-log-levels-sections).
 
 ## Create a DCR for your Syslog logs
 
-Create the DCR for your Syslog logs using the [guidelines](/azure-monitor/essentials/data-collection-rule-overview) and [structure](/azure-monitor/essentials/data-collection-rule-structure). Review the [best practices](/azure-monitor/essentials/data-collection-rule-best-practices) if needed.
+Create the DCR for your Syslog-based logs using the Azure Monitor [guidelines](../azure-monitor/essentials/data-collection-rule-overview) and [structure](../azure-monitor/essentials/data-collection-rule-structure). Review the [best practices](../azure-monitor/essentials/data-collection-rule-best-practices) if needed.
 
 ## Create a DCR for both Syslog and CEF logs
 
@@ -83,73 +83,73 @@ Create the DCR for your Syslog logs using the [guidelines](/azure-monitor/essent
     - Add the filter and facility log levels in the `facilityNames` and `logLevels` parameters.
 
     ```rest
-    {
-    "properties": {
-      "immutableId": "dcr-c7847b758fb0484b88b51c5d907796a6",
-      "dataSources": {
-        "syslog": [
-          {
-            "streams": ["Microsoft-Syslog"],
-            "facilityNames": ["auth"],
-            "logLevels": [
-              "Info",
-              "Notice",
-              "Warning",
-              "Error",
-              "Critical",
-              "Alert",
-              "Emergency"
-            ],
-            "name": "sysLogsDataSource--1469397783"
+        {
+        "properties": {
+          "immutableId": "dcr-c7847b758fb0484b88b51c5d907796a6",
+          "dataSources": {
+            "syslog": [
+              {
+                "streams": ["Microsoft-Syslog"],
+                "facilityNames": ["auth"],
+                "logLevels": [
+                  "Info",
+                  "Notice",
+                  "Warning",
+                  "Error",
+                  "Critical",
+                  "Alert",
+                  "Emergency"
+                ],
+                "name": "sysLogsDataSource--1469397783"
+              },
+              {
+                "streams": ["Microsoft-CommonSecurityLog"],
+                "facilityNames": [
+                  "local4"
+                ],
+                "logLevels": [
+                  "Warning"
+                ],
+                "name": "sysLogsDataSource-1688419672"
+              }
+            ]
           },
-          {
-            "streams": ["Microsoft-CommonSecurityLog"],
-            "facilityNames": [
-              "local4"
-            ],
-            "logLevels": [
-              "Warning"
-            ],
-            "name": "sysLogsDataSource-1688419672"
-          }
-        ]
-      },
-      "destinations": {
-        "logAnalytics": [
-          {
-            "workspaceResourceId": "/subscriptions/<sub-id>/resourceGroups/<resourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<WS>",
-            "workspaceId": "<WS-ID>",
-            "name": "la--591870646"
-          }
-        ]
-      },
-      "dataFlows": [
-        { "streams": ["Microsoft-Syslog", "Microsoft-CommonSecurityLog"], "destinations": ["la--591870646"] }
-      ],
-      "provisioningState": "Succeeded"
-    },
-    "location": "eastus",
-    "tags": {},
-    "kind": "Linux",
-    "id": "/subscriptions/<sub-id>/resourceGroups/<resourceGroup>/providers/Microsoft.Insights/dataCollectionRules/<DCR-Name>",
-    "name": "<DCR-Name>",
-    "type": "Microsoft.Insights/dataCollectionRules",
-    "etag": "\"6d00bdde-0000-0100-0000-62c177f70000\"",
-    "systemData": {
-      "createdBy": someuser@microsoft.com,
-      "createdByType": "User",
-      "createdAt": "2022-07-03T11:05:27.2454015Z",
-      "lastModifiedBy": someuser@microsoft.com,
-      "lastModifiedByType": "User",
-      "lastModifiedAt": "2022-07-03T11:05:27.2454015Z"
-    }
-  }
+          "destinations": {
+            "logAnalytics": [
+              {
+                "workspaceResourceId": "/subscriptions/<sub-id>/resourceGroups/<resourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<WS>",
+                "workspaceId": "<WS-ID>",
+                "name": "la--591870646"
+              }
+            ]
+          },
+          "dataFlows": [
+            { "streams": ["Microsoft-Syslog", "Microsoft-CommonSecurityLog"], "destinations": ["la--591870646"] }
+          ],
+          "provisioningState": "Succeeded"
+        },
+        "location": "eastus",
+        "tags": {},
+        "kind": "Linux",
+        "id": "/subscriptions/<sub-id>/resourceGroups/<resourceGroup>/providers/Microsoft.Insights/dataCollectionRules/<DCR-Name>",
+        "name": "<DCR-Name>",
+        "type": "Microsoft.Insights/dataCollectionRules",
+        "etag": "\"6d00bdde-0000-0100-0000-62c177f70000\"",
+        "systemData": {
+          "createdBy": someuser@microsoft.com,
+          "createdByType": "User",
+          "createdAt": "2022-07-03T11:05:27.2454015Z",
+          "lastModifiedBy": someuser@microsoft.com,
+          "lastModifiedByType": "User",
+          "lastModifiedAt": "2022-07-03T11:05:27.2454015Z"
+        }
+      }    
     ```
 1. After you finish editing the template, use `POST` or `PUT` to deploy it:
 
     ```rest
         PUT
-https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/dataCollectionRules/{dataCollectionRuleName}?api-version=2019-11-01-preview    
+        https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/dataCollectionRules/{dataCollectionRuleName}?api-version=2019-11-01-preview        
     ```
 
 See [examples of facilities and log levels sections](connect-cef-ama.md#examples-of-facilities-and-log-levels-sections).