You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Create an Azure Sentinel Instance

https://azure.microsoft.com/en-ca/services/azure-sentinel/

https://portal.azure.com/#home


You will need to first search for Sentinel and then create a workspace. Then you can add a sentinel instance to your workspace.

Collect Data


Connectors

Syslog Connector

https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog

Linux agent

wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w xxx -s xxx -d opinsights.azure.com

Output

--2021-07-02 10:47:00--  https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3184 (3.1K) [text/plain]
Saving to: 'onboard_agent.sh'

onboard_agent.sh    100%[===================>]   3.11K  --.-KB/s    in 0s      

2021-07-02 10:47:00 (9.09 MB/s) - 'onboard_agent.sh' saved [3184/3184]

--2021-07-02 10:47:00--  https://github.com/microsoft/OMS-Agent-for-Linux/releases/download/OMSAgent_v1.13.35-0/omsagent-1.13.35-0.universal.x64.sh
Resolving github.com (github.com)... 140.82.113.4
Connecting to github.com (github.com)|140.82.113.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-releases.githubusercontent.com/43709699/32a20280-8351-11eb-9b26-60e519b0d475?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210702%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210702T144616Z&X-Amz-Expires=300&X-Amz-Signature=b0b831e92322e2228dc25293996461a88c04ee282172d91117006eb0a88609aa&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=43709699&response-content-disposition=attachment%3B%20filename%3Domsagent-1.13.35-0.universal.x64.sh&response-content-type=application%2Foctet-stream [following]
--2021-07-02 10:47:00--  https://github-releases.githubusercontent.com/43709699/32a20280-8351-11eb-9b26-60e519b0d475?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210702%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210702T144616Z&X-Amz-Expires=300&X-Amz-Signature=b0b831e92322e2228dc25293996461a88c04ee282172d91117006eb0a88609aa&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=43709699&response-content-disposition=attachment%3B%20filename%3Domsagent-1.13.35-0.universal.x64.sh&response-content-type=application%2Foctet-stream
Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.110.154, 185.199.111.154, 185.199.109.154, ...
Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.110.154|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141916898 (135M) [application/octet-stream]
Saving to: 'omsagent-1.13.35-0.universal.x64.sh'

omsagent-1.13.35-0. 100%[===================>] 135.34M  5.79MB/s    in 23s     

2021-07-02 10:47:24 (5.79 MB/s) - 'omsagent-1.13.35-0.universal.x64.sh' saved [141916898/141916898]

Checking host architecture ...
Extracting...
----- Upgrading package: omi (omi-1.6.4-0.ulinux.x64) -----
Selecting previously unselected package omi.
(Reading database ... 146300 files and directories currently installed.)
Preparing to unpack 110/omi-1.6.4-0.ulinux.x64.deb ...
Creating omiusers group ...
Creating omi group ...
Creating omi service account ...
Unpacking omi (1.6.4.0) ...
Setting up omi (1.6.4.0) ...
Generating a RSA private key
.............+++++
....................................................................................+++++
writing new private key to '/etc/opt/omi/ssl/omikey.pem'
-----
2021-07-02 10:47:33 : Crontab not configured to update omi keytab automatically. Skip unconfigure
2021-07-02 10:47:33 : Crontab configured to update omi keytab automatically
Checking if cron is installed...
Checking if cron/crond service is started...
Set up a cron job to OMI logrotate every 15 minutes
Configuring OMI service ...
Created symlink /etc/systemd/system/multi-user.target.wants/omid.service → /lib/systemd/system/omid.service.
Trying to start omi with systemctl
omi is started.
Processing triggers for systemd (245.4-4ubuntu3.2) ...
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
----- Upgrading package: scx (scx-1.6.4-7.universal.x64) -----
Selecting previously unselected package scx.
(Reading database ... 146363 files and directories currently installed.)
Preparing to unpack .../scx-1.6.4-7.universal.x64.deb ...
Unpacking scx (1.6.4.7) ...
Setting up scx (1.6.4.7) ...
Generating certificate with hostname="deepthought"
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
----- Upgrading package: omsagent (omsagent-1.13.35-0.universal.x64) -----
Selecting previously unselected package omsagent.
(Reading database ... 146408 files and directories currently installed.)
Preparing to unpack .../omsagent-1.13.35-0.universal.x64.deb ...
Creating omsagent group ...
Creating omsagent service account ...
Creating nxautomation group ...
Creating nxautomation service account ...
Unpacking omsagent (1.13.35.0) ...
Setting up omsagent (1.13.35.0) ...
-e info	Reading onboarding params from: /etc/omsagent-onboard.conf
Workspace bda5ca3c-70bc-41b5-9c6b-9daa6ed318ba already onboarded and agent is running.
Symbolic links have not been created; re-onboarding to create them
info	Generating certificate ...
-e info	Agent GUID is d9f64fc4-0ecf-4f92-8f8b-18919fabb8c0
-e info	Onboarding success
Configure syslog...
Configuring rsyslog for OMS logging
Restarting service: rsyslog
Configure heartbeat monitoring agent...
Configure log rotate for workspace bda5ca3c-70bc-41b5-9c6b-9daa6ed318ba...
INFO:  Configuring OMS agent service bda5ca3c-70bc-41b5-9c6b-9daa6ed318ba ...
-e error	MetaConfig generation script not available at /opt/microsoft/omsconfig/Scripts/python3/OMS_MetaConfigHelper.py
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
Configure log rotate for workspace bda5ca3c-70bc-41b5-9c6b-9daa6ed318ba...
Processing triggers for systemd (245.4-4ubuntu3.2) ...
Applying Syslog conf hotfix...
----- Upgrading package: omsconfig (omsconfig-1.1.1-930.x64) -----
Selecting previously unselected package omsconfig.
(Reading database ... 156339 files and directories currently installed.)
Preparing to unpack .../omsconfig-1.1.1-930.x64.deb ...
Using python3
Cleanning up existing dsc_hosts...
chmod: cannot access '/opt/dsc': No such file or directory
Cleaned up existing dsc_hosts...
Unpacking omsconfig (1.1.1.930) ...
Setting up omsconfig (1.1.1.930) ...
Using python3
Running python3, python version is , python3
/opt/microsoft/omsconfig/Scripts/python3/nxDSCLog.py:53: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if message is None or len(message) is 0:
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nx_1.0.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxPackageResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxPackageResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxPackageResource/libMSFT_nxPackageResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxPackageResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxServiceResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxServiceResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxServiceResource/libMSFT_nxServiceResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxServiceResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxAvailableUpdatesResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxAvailableUpdatesResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxAvailableUpdatesResource/libMSFT_nxAvailableUpdatesResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxAvailableUpdatesResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxUserResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxUserResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxUserResource/libMSFT_nxUserResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxUserResource.reg to 0o644
VERBOSE from InstallModule.py: Installing resource MSFT_nxGroupResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxGroupResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxGroupResource/libMSFT_nxGroupResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxGroupResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSPerfCounter_2.3.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSPerfCounterResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSPerfCounterResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSPerfCounterResource/libMSFT_nxOMSPerfCounterResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSPerfCounterResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSSyslog_2.5.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSSyslogResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSSyslogResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSSyslogResource/libMSFT_nxOMSSyslogResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSSyslogResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSSudoCustomLog_2.7.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSSudoCustomLogResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSSudoCustomLogResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSSudoCustomLogResource/libMSFT_nxOMSSudoCustomLogResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSSudoCustomLogResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxOMSKeyMgmt_1.0.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxOMSKeyMgmtResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxOMSKeyMgmtResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxOMSKeyMgmtResource/libMSFT_nxOMSKeyMgmtResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxOMSKeyMgmtResource.reg to 0o644
The result code is 0
VERBOSE from InstallModule.py: Extracting module zip file from /opt/microsoft/omsconfig/module_packages/nxFileInventory_1.3.zip to /opt/microsoft/omsconfig/modules
VERBOSE from InstallModule.py: Installing resource MSFT_nxFileInventoryResource
VERBOSE from InstallModule.py: Updated permissions of file: /opt/omi/lib/libMSFT_nxFileInventoryResource_root-oms.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /opt/dsc/lib/MSFT_nxFileInventoryResource/libMSFT_nxFileInventoryResource.so to 0o644
VERBOSE from InstallModule.py: Updated permissions of file: /etc/opt/omi/conf/omiregister/root-oms/MSFT_nxFileInventoryResource.reg to 0o644
The result code is 0
-bash: /opt/microsoft/omsconfig/Scripts/InstallModule.py: /usr/bin/python: bad interpreter: No such file or directory
gpg: keybox '/etc/opt/omi/conf/omsconfig/keymgmtring.gpg' created
gpg: directory '/etc/opt/omi/conf/omsconfig/.gnupg' created
gpg: /etc/opt/omi/conf/omsconfig/.gnupg/trustdb.gpg: trustdb created
gpg: key C4EC49E544BC4178: public key "Microsoft (Release Signing) <msgpgkey@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: keybox '/etc/opt/omi/conf/omsconfig/keyring.gpg' created
gpg: key 20541A3DDE321294: public key "Microsoft (Release Signing) <dscgpgkey@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
Running python3
VERBOSE from OMS_MetaConfigHelper.py: OMS config path being read: /etc/opt/microsoft/omsagent/bda5ca3c-70bc-41b5-9c6b-9daa6ed318ba/conf/omsadmin.conf
VERBOSE from OMS_MetaConfigHelper.py: Output from3: /opt/microsoft/omsconfig/Scripts/python3/SetDscLocalConfigurationManager.py -configurationmof /etc/opt/omi/conf/omsconfig/generated_meta_config.mof: Opened the dsc host lock file at the path '/opt/dsc/dsc_host_lock'
[2021/07/02 10:48:09] [1294393] [INFO] [0] [/opt/microsoft/omsconfig/Scripts/python3/SetDscLocalConfigurationManager.py:0] dsc_host lock file is acquired by : SendMetaConfigurationApply

Operation SendMetaConfigurationApply completed successfully.
Operation was successful.

Operation SendMetaConfigurationApply completed successfully.
Operation was successful.


VERBOSE from OMS_MetaConfigHelper.py: Successfully configured omsconfig.
Applying DSC nxOMSSyslog hotfix...
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
----- Updating bundled packages -----
Checking if Apache is installed ...
  Apache not found, will not install
Checking if Docker is installed...
  Docker version greater or equal than 17.* found. Docker agent will be installed
Extracting...
Updating container agent ...
----- Updating package: docker-cimprov (docker-cimprov-1.0.0-37.universal.x86_64) -----
Selecting previously unselected package docker-cimprov.
(Reading database ... 156440 files and directories currently installed.)
Preparing to unpack docker-cimprov-1.0.0-37.universal.x86_64.deb ...
Unpacking docker-cimprov (1.0.0.37) ...
Setting up docker-cimprov (1.0.0.37) ...
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
instance of Container_HostInventory
{
    [Key] InstanceID=55def11b-96b9-495b-9f1d-6cb84bd3b3f3
    Computer=deepthought
    DockerVersion=19.03.13
    OperatingSystem=Ubuntu Core 18
    Volume=local
    Network=bridge host ipvlan macvlan null overlay 
    NodeRole=Not Orchestrated
    OrchestratorType=None
}
Checking if MySQL is installed ...
  MySQL not found, will not install
Extracting...
Updating auoms ...
----- Updating package: auoms (auoms-2.3.4-31.universal.x64) -----
Selecting previously unselected package auoms.
(Reading database ... 156465 files and directories currently installed.)
Preparing to unpack auoms-2.3.4-31.universal.x64.deb ...
Unpacking auoms (2.3.4.31) ...
Setting up auoms (2.3.4.31) ...
Processing triggers for systemd (245.4-4ubuntu3.2) ...
OMS Troubleshooter is installed.
You can run the Troubleshooter with the following command:

  $ sudo /opt/microsoft/omsagent/bin/troubleshooter

Shell bundle exiting with code 0



References

ReferenceURL
What is Azure Sentinel and why you should care | Azure Tips and Trickshttps://www.youtube.com/watch?v=dRpOR2GpL1s
Azure Sentinelhttps://azure.microsoft.com/en-ca/services/azure-sentinel/
Azure Portalhttps://portal.azure.com/#home
  • No labels

Copyright JMEHAN.COM