This article explains how to connect your Kemp LoadMaster data to Azure Sentinel. Kemp LoadMaster allows you to easily send the logs to Azure Sentinel, to view dashboards, create custom alerts, and improve investigation.
Special thanks to David O’connor who provided reference for the custom queries to parse the Kemp LoadMaster ESP CEF logs.
Using Kemp LoadMaster on Azure Sentinel will provide you more insights into your organization’s application usage, and will enhance its application experience.
Pre-requisites
- At least 1 LoadMaster – here’s a quick video on how to deploy an HA pair of LoadMasters on Azure – https://kemptechnologies.com/videos/setup-azure-load-balancing-high-availability/
- A virtual machine – Ubuntu preferred to receive and forward logs – https://wikiazure.com/compute/enable-remote-logging-on-azure-ubuntu-vm/
- A log analytics workspace
Reference Architecture
Forward Kemp LoadMaster logs.
Your Kemp LoadMaster could be on-premises or in the cloud(Azure or AWS) but first, we need to configure Kemp LoadMaster to forward Syslog messages in CEF format to your Azure workspace.
In order to forward the logs we have to go to the LoadMaster UI under System Configuration > Logging Options > Syslog Options and provide the IP address of the external syslog.
In the case of failure of any LoadMaster logs will not be available, therefore it is recommended to setup an external syslog server.
From Kemp docs:
An external Syslog server can capture all the logs the LoadMaster is already reporting and send it to the Syslog server via UDP port 514 by default. You can now use other ports other then 514 as of firmware 7.2.38.0.
The Syslog server can capture on 6 different Hosts.
Emergency Host – The system is unusable and requires immediate attention
Critical Host – Should be corrected immediately, but indicates failure in a primary system
Error Host – Non-urgent failures but should be looked at ASAP
Warn Host – Not an error, but indication that an error will occur if action is not taken
Notice Host – Events that are unusual but not error conditions – no immediate action required
Info Host – Normal operational messages – may be harvested for reporting
When applying IPs to these fields it is important to remember that the fields cascade up. You only have to configure “info host” if you wish everything to be reported to your server. You can add multiple IPs in these fields by space separating the IPs.
In this case I have previously created an Azure Linux VM(ubuntu) in an availability set that will receive the logs from the LoadMaster.
Connect Kemp LoadMaster data to Azure Sentinel
Create Azure Sentinel workspace and integrate data connectors.
Now let’s go to the Azure Portal and create a new Azure Sentinel workspace. Note that I have previously created a log analytics workspace.
You can refer to the Azure documentation for a quickstart to on-board Azure Sentinel – http://bit.ly/az-sentinel
Click on data connectors, look for syslog and select the syslog connector from Microsoft as shown below:
Now select the option to install the agent on an Azure Linux Virtual Machine:
Then select the Ubuntu virtual machine:
Now connect your VM:
Once you have connected your VM, now go to the advanced settings and click on the “data” option then go to syslog and then look for the logs you want to add, you need to type the log file name as shown below:
Once you have provided the syslogs that will be collected click on save:
You should see a notification like below:
Integrate Common Event Format(CEF) connector
Now go back to the Azure sentinel data connectors and look for the common event format(CEF) and click on “open connector page” as shown below:
Now let’s proceed to install the CEF agent on the Linux virtual machine, you should be able to see the command that will help you with the installation of the CEF collector:
Run the command to install and apply the CEF collector:
Once your agent is installed on your Azure Linux VM, let’s proceed to verify the connectivity.
Verify connectivity
Azure will provide you with the command to test the connectivity:
Run the command that Azure provides to validate your connectivity, in this case I’m using Windows Terminal:
After couple of seconds you should be able to see that the configuration is valid:
Note: To TCP dump manually execute the following command – ‘tcpdump -A -ni any port 514 -vv’ on the ubuntu VM
It may take about 20 minutes until the connection streams data to your workspace.
After a few minutes you should be able to see the message “completed troubleshooting”
You will probably need to wait a while before you see all the logs coming to Azure Sentinel. After waiting for a bit you should be able to see the logs coming to Azure Sentinel as shown below:
Azure Sentinel will initially show you a dashboard including the potential malicious events
Custom queries on Azure Sentinel
However you can also create custom log queries help you to fully leverage the value of the data collected. Now click on “Logs”
Once you are in the Query page, we will create custom queries, you can check the queries from this Github repo:
https://github.com/daveRendon/kemp/tree/master/azure-sentinel/scripts
**Note: you must enable the checkbox on the LoadMaster as shown below
For this article let’s use the ESP CEF logs query:
//This script parses out all the fields for the ESP CEF logs and presents them to the user.
CommonSecurityLog
| where DeviceVendor == "Kemp"
| extend ExtFields = split(AdditionalExtensions, ';')
| extend VSInfo = split(ExtFields[0], "=")[1]
| extend VSIP = split(VSInfo, ":")[0]
| extend VSPort = split(VSInfo, ":")[1]
| extend Event = split(ExtFields[1], "=")[1]
| extend SourceIP = case( DeviceEventClassID !in (6, 14, 15), split(ExtFields[2], "=")[1], DeviceEventClassID == 6, split(ExtFields[3], "=")[1], SourceIP)
| extend SourcePort = iff ( DeviceEventClassID in (1, 2, 3, 4, 5, 11, 12, 13, 16, 17), split(ExtFields[3], "=")[1], "")
| extend DestinationIP = iff ( DeviceEventClassID in (4, 5), split(ExtFields[4], "=")[1], "")
| extend DestinationPort = iff ( DeviceEventClassID in (4, 5), split(ExtFields[5], "=")[1], "")
| extend AwaitingRemoteAddress = iff ( DeviceEventClassID == 3, split(ExtFields[4], "=")[1], "")
| extend RequestMethod = iff( DeviceEventClassID in (11, 12), split(ExtFields[4], "=")[1], "")
| extend RequestURL = iff( DeviceEventClassID in (11, 12), split(ExtFields[5], "=")[1], "")
| extend user_ext = split(ExtFields[6], "=")
| extend User = case( DeviceEventClassID == 6, split(ExtFields[2], "=")[1], DeviceEventClassID in (7, 8, 9, 10), split(ExtFields[3], "=")[1], DeviceEventClassID in (11, 12), iff( user_ext[0] == "user", user_ext[1], ""), "")
| extend user_agent_ext = split(ExtFields[7], "=")
| extend UserAgent = iff( DeviceEventClassID in (11, 12), case ( user_ext[0] == "useragent", user_ext[1], user_agent_ext[0] == "useragent", user_agent_ext[1], ""), "")
| extend Resource = case( DeviceEventClassID == 15, split(ExtFields[2], "=") [1], DeviceEventClassID in (16, 17), split(ExtFields[4], "=")[1], "")
| extend DTCode = iff ( DeviceEventClassID == 13, split(ExtFields[4], "=")[1], "")
| project format_datetime(TimeGenerated, "yyyy-MM-dd HH:mm:ss"), DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, Message, Event, VSIP, VSPort, SourceIP, SourcePort, DestinationIP, DestinationPort, AwaitingRemoteAddress, User, UserAgent, Resource, RequestMethod, RequestURL, DTCode
Use the query above and run it, you should be able to see the ESP(Edge Security Pack) logs and additional fields:
- Time Generated
- Virtual Service IP
- Virtual Service Port
- Source IP
- Port, etc
Once you have your queries in place you can also pin the results to a dashboard and create your custom dashboard as shown below:
Along this article we reviewed how to configure Azure Sentinel to collect the logs from the LoadMaster and create a custom dashboard using personalized queries.
