Forwarding Security Onion Logs to Azure Sentinel

[takunacy]

Hi,
I started an internship and I've been asked to ingest the Security Onion logs in Azure Sentinel SIEM. Security Onion is installed on a Physical server. Could someone help me with process or guide how to do. I already read from Sentinel how to set an ArcLinux server to receive logs in syslog format via the AMA Azure monitor Agent. But how to configure the logs collected in security Onion to be forwarded in Sentinel. DO i need to set another Linux server other than the SO server? Please help

[takunacy]

@dougburks could you help please?

[takunacy]

@MJRH54 could you help please.

[weslambert]

Hi, I started an internship and I've been asked to ingest the Security Onion logs in Azure Sentinel SIEM. Security Onion is installed on a Physical server. Could someone help me with process or guide how to do. I already read from Sentinel how to set an ArcLinux server to receive logs in syslog format via the AMA Azure monitor Agent. But how to configure the logs collected in security Onion to be forwarded in Sentinel. DO i need to set another Linux server other than the SO server? Please help

Since this is a a free support forum and support is best effort, you may want to wait a while before tagging folks (and maybe avoid so altogether). You may also want to start with https://docs.securityonion.net/en/2.4/logstash.html#forwarding-events-to-an-external-destination, which should point you in the right direction.