Hi There,
We have configured a Syslog Server (Linux) in SPP and SPS. The Syslog server feeds the Azure SentiNel SIEM solution.
In SPP, I am using External Integration -> Syslog
In SPS, I am using Universal SIEM Forwarder.
Connections work fine (verified through the telnet tool in SPP and SPS to check if the SPP & SPS are connecting to the Syslog server over the TCP port assigned to the Syslog server). We are connecting over non-SSL for now. The format is CEF.
However, there is no relay of events to the Syslog server from both SPP and SPS. I don't see any SPP/SPS events listed in the Syslog server. Wondering why?
For SPP, we used the facility "User" and user-related events such as user authentication, user-created, deleted, etc. Tried a "Test Event" and it shows the event fired successfully but I don't have any events in the Syslog server.
Any further steps required to be done here? Appreciate any suggestions.
Regards,
Rajeeb