Dave Rendón Microsoft Azure MVP, embracing and fostering tech intensity to benefit society and thrive in a digital world.

Connect Kemp LoadMaster data to Azure Sentinel

4 min read

Connect-Kemp-LoadMaster-data-to-Azure-Sentinel

This article explains how to connect your Kemp LoadMaster data to Azure Sentinel. Kemp LoadMaster allows you to easily send the logs to Azure Sentinel, to view dashboards, create custom alerts, and improve investigation.

Special thanks to David O’connor who provided reference for the custom queries to parse the Kemp LoadMaster ESP CEF logs.

Using Kemp LoadMaster on Azure Sentinel will provide you more insights into your organization’s application usage, and will enhance its application experience.

Pre-requisites

Reference Architecture

01-Connect Kemp LoadMaster data to Azure Sentinel

Forward Kemp LoadMaster logs.

Your Kemp LoadMaster could be on-premises or in the cloud(Azure or AWS) but first, we need to configure Kemp LoadMaster to forward Syslog messages in CEF format to your Azure workspace. 

In order to forward the logs we have to go to the LoadMaster UI under System Configuration > Logging Options > Syslog Options and provide the IP address of the external syslog.

In the case of failure of any LoadMaster logs will not be available, therefore it is recommended to setup an external syslog server.

From Kemp docs:

An external Syslog server can capture all the logs the LoadMaster is already reporting and send it to the Syslog server via UDP port 514 by default.  You can now use other ports other then 514 as of firmware 7.2.38.0.

The Syslog server can capture on 6 different Hosts.

Emergency Host – The system is unusable and requires immediate attention

Critical Host – Should be corrected immediately, but indicates failure in a primary system

Error Host – Non-urgent failures but should be looked at ASAP

Warn Host – Not an error, but indication that an error will occur if action is not taken

Notice Host – Events that are unusual but not error conditions – no immediate action required

Info Host – Normal operational messages – may be harvested for reporting

When applying IPs to these fields it is important to remember that the fields cascade up. You only have to configure “info host” if you wish everything to be reported to your server.  You can add multiple IPs in these fields by space separating the IPs.

In this case I have previously created an Azure Linux VM(ubuntu) in an availability set that will receive the logs from the LoadMaster.

02-Connect Kemp LoadMaster data to Azure Sentinel

Connect Kemp LoadMaster data to Azure Sentinel

Create Azure Sentinel workspace and integrate data connectors.

Now let’s go to the Azure Portal and create a new Azure Sentinel workspace. Note that I have previously created a log analytics workspace.

You can refer to the Azure documentation for a quickstart to on-board Azure Sentinel – http://bit.ly/az-sentinel

03-Connect Kemp LoadMaster data to Azure Sentinel

Click on data connectors, look for syslog and select the syslog connector from Microsoft as shown below:

04-Connect Kemp LoadMaster data to Azure Sentinel

Now select the option to install the agent on an Azure Linux Virtual Machine:

05-Connect Kemp LoadMaster data to Azure Sentinel

Then select the Ubuntu virtual machine:

06-Connect Kemp LoadMaster data to Azure Sentinel

Now connect your VM:

07-Connect Kemp LoadMaster data to Azure Sentinel

Once you have connected your VM, now go to the advanced settings and click on the “data” option then go to syslog and then look for the logs you want to add, you need to type the log file name as shown below:

08-Connect Kemp LoadMaster data to Azure Sentinel

Once you have provided the syslogs that will be collected click on save:

09-Connect Kemp LoadMaster data to Azure Sentinel

You should see a notification like below:

010-Connect Kemp LoadMaster data to Azure Sentinel

Integrate Common Event Format(CEF) connector

Now go back to the Azure sentinel data connectors and look for the common event format(CEF) and click on “open connector page” as shown below:

011-Connect Kemp LoadMaster data to Azure Sentinel

Now let’s proceed to install the CEF agent on the Linux virtual machine, you should be able to see the command that will help you with the installation of the CEF collector:

012-Connect Kemp LoadMaster data to Azure Sentinel

Run the command to install and apply the CEF collector:

013-Connect Kemp LoadMaster data to Azure Sentinel

Once your agent is installed on your Azure Linux VM, let’s proceed to verify the connectivity.

Verify connectivity

Azure will provide you with the command to test the connectivity:

014-Connect Kemp LoadMaster data to Azure Sentinel

Run the command that Azure provides to validate your connectivity, in this case I’m using Windows Terminal:

015-Connect Kemp LoadMaster data to Azure Sentinel

After couple of seconds you should be able to see that the configuration is valid:

016-Connect Kemp LoadMaster data to Azure Sentinel

Note: To TCP dump manually execute the following command – ‘tcpdump -A -ni any port 514 -vv’ on the ubuntu VM

It may take about 20 minutes until the connection streams data to your workspace.

After a few minutes you should be able to see the message “completed troubleshooting”

017-Connect Kemp LoadMaster data to Azure Sentinel

You will probably need to wait a while before you see all the logs coming to Azure Sentinel. After waiting for a bit you should be able to see the logs coming to Azure Sentinel as shown below:

018-Connect Kemp LoadMaster data to Azure Sentinel

Azure Sentinel will initially show you a dashboard including the potential malicious events

019-Connect Kemp LoadMaster data to Azure Sentinel

Custom queries on Azure Sentinel

However you can also create custom log queries help you to fully leverage the value of the data collected. Now click on “Logs”

020-Connect Kemp LoadMaster data to Azure Sentinel

Once you are in the Query page, we will create custom queries, you can check the queries from this Github repo:

https://github.com/daveRendon/kemp/tree/master/azure-sentinel/scripts

**Note: you must enable the checkbox on the LoadMaster as shown below

021-Connect Kemp LoadMaster data to Azure Sentinel

For this article let’s use the ESP CEF logs query:

//This script parses out all the fields for the ESP CEF logs and presents them to the user.
CommonSecurityLog
| where DeviceVendor == "Kemp"
| extend ExtFields = split(AdditionalExtensions, ';')
| extend VSInfo = split(ExtFields[0], "=")[1]
| extend VSIP = split(VSInfo, ":")[0]
| extend VSPort = split(VSInfo, ":")[1]
| extend Event = split(ExtFields[1], "=")[1]
| extend SourceIP = case( DeviceEventClassID !in (6, 14, 15), split(ExtFields[2], "=")[1], DeviceEventClassID == 6, split(ExtFields[3], "=")[1], SourceIP)
| extend SourcePort = iff ( DeviceEventClassID in (1, 2, 3, 4, 5, 11, 12, 13, 16, 17), split(ExtFields[3], "=")[1], "")
| extend DestinationIP = iff ( DeviceEventClassID in (4, 5), split(ExtFields[4], "=")[1], "")
| extend DestinationPort = iff ( DeviceEventClassID in (4, 5), split(ExtFields[5], "=")[1], "")
| extend AwaitingRemoteAddress = iff ( DeviceEventClassID == 3, split(ExtFields[4], "=")[1], "")
| extend RequestMethod = iff( DeviceEventClassID in (11, 12), split(ExtFields[4], "=")[1], "")
| extend RequestURL = iff( DeviceEventClassID in (11, 12), split(ExtFields[5], "=")[1], "")
| extend user_ext = split(ExtFields[6], "=")
| extend User = case( DeviceEventClassID == 6, split(ExtFields[2], "=")[1], DeviceEventClassID in (7, 8, 9, 10), split(ExtFields[3], "=")[1], DeviceEventClassID in (11, 12), iff( user_ext[0] == "user", user_ext[1], ""), "")
| extend user_agent_ext = split(ExtFields[7], "=")
| extend UserAgent = iff( DeviceEventClassID in (11, 12), case ( user_ext[0] == "useragent", user_ext[1], user_agent_ext[0] == "useragent", user_agent_ext[1], ""), "")
| extend Resource = case( DeviceEventClassID == 15, split(ExtFields[2], "=") [1], DeviceEventClassID in (16, 17), split(ExtFields[4], "=")[1], "")
| extend DTCode = iff ( DeviceEventClassID == 13, split(ExtFields[4], "=")[1], "")
| project format_datetime(TimeGenerated, "yyyy-MM-dd HH:mm:ss"), DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, Message, Event, VSIP, VSPort, SourceIP, SourcePort, DestinationIP, DestinationPort, AwaitingRemoteAddress, User, UserAgent, Resource, RequestMethod, RequestURL, DTCode

Use the query above and run it, you should be able to see the ESP(Edge Security Pack)  logs and additional fields:

  • Time Generated
  • Virtual Service IP
  • Virtual Service Port
  • Source IP
  • Port, etc
022-Connect Kemp LoadMaster data to Azure Sentinel

Once you have your queries in place you can also pin the results to a dashboard and create your custom dashboard as shown below:

023-Connect Kemp LoadMaster data to Azure Sentinel

Along this article we reviewed how to configure Azure Sentinel to collect the logs from the LoadMaster and create a custom dashboard using personalized queries.

Dave Rendón Microsoft Azure MVP, embracing and fostering tech intensity to benefit society and thrive in a digital world.

Leave a Reply

Your email address will not be published. Required fields are marked *