Process: Missing Firewall logs from Sentinel ingestion
Missing Firewall logs from Sentinel Ingestion
This alert occurs if Microsoft Sentinel does not receive logs from our firewalls for more than an hour.
The way that the log ingestion works for the firewalls, is the following:
1. Logs are generated on the Firewall
2. Firewall then sends the logs to our syslog servers (syslog-prd01 hosted on the 365 Tenant)
3. OMS Agent on syslog servers then send the logs to Microsoft Sentinel
Troubleshooting:
1. Perform KQL query to collect information on the Firewalls affected via Sentinel on the 365 Tenant.
a. For NET13918-READING-FW3:
Go to Log Analytics and run query
CommonSecurityLog
| where Computer contains "NET13918-READING-FW3"
| sort by TimeGenerated desc
b. For NET13918-READING-FW4:
Go to Log Analytics and run query
CommonSecurityLog
| where Computer contains "NET13918-READING-FW4"
| sort by TimeGenerated desc
c. For NET13918-ELLAND-FW2:
Go to Log Analytics and run query
CommonSecurityLog
| where Computer contains "NET13918-ELLAND-FW2"
| sort by TimeGenerated desc
2. If no logs are to be found in the past 1 hour do the following:
i. Restart the syslog-prd01 server in the 365 tenant
3. If all else fails, escalate to Redcentric to confirm if logs are being sent out.
4. If Redcentric confirms logs are being sent out, further troubleshooting will be needed on the syslog servers
a. Ensure syslog/OMS agent service are running
b. Reinstall OMS Agent