I am attempting to integrate Azure Sentinel and Crowdstrike. I have a VM set up in Azure running Ubuntu 18.04 and have followed the vendor installation guide provided by both Microsoft and Crowdstrike. However, I am receiving an error when running this troubleshooting command:
sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}
The error is "could not locate CEF message in tcpdump. Please make sure that traffic to the syslog daemon on port 514 and to the OMS agent on port 25226 are enabled on the internal firewall of the machine."
Part of the troubleshooting process involves running the command sudo tcpdump -A -ni any port 25226 -vv and sudo tcpdump -A -ni any port 25226 -vv . Neither of these commands give any output which I first thought may be because of a networking issue. However, I have created firewall rules to allow traffic to both ports and from what I can tell nothing is being blocked.
I navigated to Sentinel and ran CommonSecurityLog and saw that the mock messages were being received from the VM every time I ran the troubleshooting command. I also see the CEF data connector in sentinel as "connected".
I have triple checked the daemon configuration which should contain if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then @@127.0.0.1:25226.
I have tried purging and reinstall the omsagent as well and nothing so far has worked.
I'm not sure if this has anything to do with the issue but I have another VM set up and connected to the same exact workspace. Would I need to have two different workspaces, one for each VM. If so, would I be able to connect both of these to the same Sentinel space?
