This chapter covers the configuration and operation of CEF (Common Event Format) and Syslog connectors in Microsoft Sentinel, which are critical for ingesting security logs from on-premises and third-party security appliances. For the SC-200 exam, this topic appears in approximately 10-15% of questions, often in the context of planning and configuring data ingestion. A deep understanding of the connector architecture, log format parsing, and troubleshooting is essential not only for the exam but also for real-world deployments where organizations rely on legacy security tools that do not natively support Azure Sentinel's ingestion APIs.
Jump to a section
Imagine a large international airport where security systems from different countries send threat reports in their native languages. The airport has a central translation hub that receives these reports in various formats (like Syslog or CEF) and converts them into a universal incident format that the central security team can understand and act upon. This translator is not just a simple converter; it maintains a mapping table of all known device types and their log formats. When a report arrives, the translator identifies the device type, parses the message according to its specific schema, extracts key fields (like source IP, event type, severity), and then rewrites the message into a standardized JSON structure (like CommonSecurityLog in Azure Sentinel). The translator also handles errors: if a message is malformed, it logs a parsing error and may drop the message or forward it with an error flag. Additionally, the translator can filter out low-severity events to reduce noise, similar to how a security guard might ignore routine announcements. The central security team then uses these standardized logs to correlate across all devices, detecting patterns that would be invisible if each device spoke its own language. This hub is the CEF and Syslog connector in Azure Sentinel.
What Are CEF and Syslog Connectors?
CEF (Common Event Format) and Syslog connectors are data ingestion methods used by Microsoft Sentinel to collect security logs from on-premises and third-party security appliances that cannot directly send logs to Azure via the Log Analytics agent or Azure Monitor Agent. These connectors allow Sentinel to receive logs from devices such as firewalls (e.g., Palo Alto, Fortinet), intrusion detection systems (e.g., Snort), and other security tools that output logs in Syslog format (RFC 3164 or RFC 5424) or CEF (a format originally by ArcSight).
How They Work Internally
The connector is implemented as a Log Analytics agent (or Azure Monitor Agent) running on a Windows or Linux machine that acts as a log collector. This machine receives Syslog or CEF messages over UDP or TCP, parses them, and forwards them to Azure Sentinel as CommonSecurityLog (for CEF) or Syslog (for Syslog) tables.
Syslog Ingestion: The agent listens on a configurable port (default 514 for UDP, 6514 for TCP/TLS). It receives messages in RFC 3164 (BSD) or RFC 5424 (IETF) format. The agent parses the message to extract fields like timestamp, hostname, facility, severity, and the message body. It then maps these to the Syslog table schema in Log Analytics.
CEF Ingestion: CEF messages are a specific format of Syslog where the message body follows a key=value structure. The CEF format is defined as: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|[Extension] where extension is a space-separated list of key=value pairs. The agent identifies CEF messages by the CEF: prefix and parses them into CommonSecurityLog fields. For example, CEF:0|Palo Alto|PAN-OS|10.0|1000|Test|5|src=10.0.0.1 dst=10.0.0.2 becomes a CommonSecurityLog with DeviceVendor='Palo Alto', DeviceProduct='PAN-OS', etc.
Key Components and Defaults
Log Forwarder: A Linux machine (recommended) or Windows machine with the Log Analytics agent. For high-volume environments, use dedicated hardware with sufficient CPU and memory.
Ports: UDP 514 (default for Syslog), TCP 514, TCP 6514 (for TLS). The connector can listen on multiple ports.
Protocols: UDP is common but unreliable; TCP with TLS ensures delivery. CEF is typically sent over TCP to avoid message fragmentation.
Data Types: The connector creates two tables in Log Analytics: Syslog and CommonSecurityLog. The Syslog table has fields like Facility, SeverityLevel, HostName, ProcessName, ProcessID, Message. The CommonSecurityLog table has over 40 fields including DeviceVendor, DeviceProduct, DeviceVersion, SignatureID, Name, Severity, SourceIP, DestinationIP, SourcePort, DestinationPort, Protocol, RequestURL, Message, etc.
Parsing: The agent uses built-in parsers for common devices. Custom parsing can be added via configuration files.
Batching: The agent sends logs to Azure Sentinel in batches (default every 30 seconds or when buffer reaches 2 MB). This reduces API calls.
Rate Limiting: Sentinel has a data ingestion rate limit of 5 MB/s per workspace. If exceeded, logs are throttled and dropped.
Configuration and Verification
Step 1: Deploy Log Analytics Agent on a Linux machine - Use the Azure portal or manual installation script. - The agent must be connected to the same workspace as Sentinel.
Step 2: Configure Syslog/CEF data sources - In Sentinel, go to Data connectors -> Common Event Format (CEF) or Syslog. - Open the connector page and click "Open connector page". - Follow the instructions to run the deployment script on the log forwarder. The script installs the agent, configures Syslog daemon (rsyslog or syslog-ng), and sets up the connector.
Step 3: Configure the security device to send logs - Point the device to the log forwarder's IP address and port (e.g., UDP 514). - Ensure the device sends logs in CEF format if using the CEF connector.
Verification Commands:
- Check agent connectivity: sudo /opt/microsoft/omsagent/bin/omsadmin.sh -l
- Check Syslog reception: tcpdump -i any port 514
- Check the agent logs: tail -f /var/opt/microsoft/omsagent/log/omsagent.log
- In Sentinel, query the CommonSecurityLog table: CommonSecurityLog | take 10
Interaction with Related Technologies
The CEF and Syslog connectors work alongside the Azure Monitor Agent (AMA) for newer deployments. AMA supports Syslog via the Syslog data collection rule (DCR), but does not support CEF natively. For CEF, the Log Analytics agent is still required. The connectors integrate with Sentinel's built-in parsers and analytics rules. For example, the "Palo Alto PAN-OS" solution uses CommonSecurityLog data. Troubleshooting involves checking network connectivity, firewall rules, and agent logs. Common issues include message truncation (UDP has 64 KB limit), incorrect timestamp parsing, and mismatched field mappings.
Deploy Log Analytics Agent
Install the Log Analytics agent on a dedicated Linux machine (recommended) or Windows server. For Linux, use the script provided in the Sentinel connector page, which installs the agent and configures the Syslog daemon. Ensure the machine has outbound internet access to Azure (HTTPS 443) and the workspace ID/key. For high volume, use a machine with at least 4 vCPUs and 8 GB RAM. The agent will listen on UDP 514 by default. After installation, verify connectivity by running `sudo /opt/microsoft/omsagent/bin/omsadmin.sh -l` and checking for a successful status.
Configure Syslog Daemon
On Linux, the agent uses rsyslog or syslog-ng to receive Syslog messages. The deployment script automatically modifies the configuration to listen on UDP 514. If you need additional ports (e.g., TCP 514, TCP 6514), edit `/etc/rsyslog.d/security-config-omsagent.conf` (for rsyslog) or equivalent. For example, to enable TCP, add `$ModLoad imtcp` and `$InputTCPServerRun 514`. Then restart rsyslog: `sudo systemctl restart rsyslog`. Verify the daemon is listening: `sudo netstat -tulpn | grep 514`.
Configure Security Device to Send Logs
Log into the security appliance (e.g., Fortinet, Palo Alto) and configure a syslog server pointing to the log forwarder's IP address and port (default UDP 514). For CEF, ensure the device sends logs in CEF format; many devices require enabling CEF format in the syslog settings. For example, on a Palo Alto firewall, go to Device > Server Profiles > Syslog, add a new profile, set the server IP and port, and choose the format as 'CEF'. Apply the profile to the appropriate log forwarding rule. Test by generating a test event and checking the log forwarder's reception with tcpdump.
Verify Data Ingestion in Sentinel
After configuration, wait a few minutes for logs to appear. In Sentinel, navigate to Logs and query `CommonSecurityLog | take 10` (for CEF) or `Syslog | take 10` (for Syslog). If no data appears, check the agent logs at `/var/opt/microsoft/omsagent/log/omsagent.log` for errors. Common issues include incorrect workspace key, network blocks, or misconfigured Syslog daemon. Use the connector page's 'Check health' feature (if available) to validate connectivity. Also, verify that the log forwarder's clock is synchronized (NTP) to avoid timestamp issues.
Troubleshoot and Optimize
If logs are missing, check for message truncation (UDP max 64 KB), rate limiting (Sentinel 5 MB/s), or parsing errors. Use the `Syslog` table's `Type` field; if it says 'CEF' but fields are empty, the parser may not recognize the format. For high volume, consider using TCP with TLS to avoid loss. Adjust the agent's batch size and interval via configuration files. Monitor the workspace's ingestion rate in Azure Monitor. For advanced parsing, create custom Log Analytics functions or use KQL to parse malformed messages. Always test with a known event before full deployment.
Scenario 1: Enterprise Firewall Log Aggregation
A large enterprise uses multiple Palo Alto Networks firewalls across global offices. They need to centralize logs in Azure Sentinel for threat detection and compliance. The security team deploys a Linux log forwarder in each region (e.g., US, Europe, Asia) running the Log Analytics agent. Each firewall is configured to send CEF logs via TCP 514 to the nearest forwarder. The forwarders then forward the logs to a single Sentinel workspace. Performance considerations: each forwarder handles up to 10,000 EPS (events per second). At peak, the workspace receives 30,000 EPS, which is below the 5 MB/s limit (assuming average log size 500 bytes, 30,000 EPS = 15 MB/s, which exceeds the limit). The team implements filtering on the forwarders to drop low-severity logs (e.g., informational) and uses multiple workspaces for high-volume regions. Misconfiguration: if the forwarder's clock drifts, logs may be timestamped incorrectly, causing detection rules to fail. They use NTP and monitor clock skew with a KQL query.
Scenario 2: Legacy IDS Integration
A financial institution uses an older Snort IDS that only outputs Syslog (RFC 3164) and cannot be upgraded to CEF. They deploy a Windows-based Log Analytics agent as the forwarder. The Snort sensor sends UDP 514 logs to the forwarder. The agent parses the Syslog and populates the Syslog table. However, the message body is unstructured, so threat detection requires custom parsing. The SOC team writes KQL functions to extract IPs and signatures from the 'Message' field. They also set up a data collection rule to filter out known benign events (e.g., ARP scans) to reduce noise and cost. Common issue: Syslog messages longer than 1024 bytes are truncated by the default rsyslog configuration; they increase the message size limit to 8192 bytes.
Scenario 3: High-Frequency DDoS Protection
A cloud gaming company uses a Radware DDoS mitigation appliance that sends CEF logs to Sentinel. The device generates up to 50,000 EPS during attacks. The log forwarder is a high-performance Linux server with 16 vCPUs and 32 GB RAM, using TCP with TLS to prevent loss. Despite this, they experience data gaps during attacks due to Sentinel's 5 MB/s ingestion limit. They implement a two-tier approach: the forwarder writes logs to a local buffer (e.g., a Kafka queue) and then batches them to Sentinel at a controlled rate. They also use a dedicated workspace for security logs and another for operational logs. Misconfiguration: if the TLS certificate expires, the connection drops and logs are lost. They set up monitoring for certificate expiry and automatic renewal.
What SC-200 Tests on This Topic
The SC-200 exam objectives under 'Design and configure Microsoft Sentinel' (Objective 2.1) include configuring data connectors for CEF and Syslog. Specifically, you need to know:
The architecture: Log Analytics agent (or AMA) on a log forwarder.
Default ports: UDP 514 (Syslog), TCP 514, TCP 6514 (TLS).
CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|[Extension].
Tables: CommonSecurityLog (for CEF) and Syslog (for Syslog).
How to deploy the connector using the Sentinel portal.
Troubleshooting steps: check agent connectivity, firewall rules, and Syslog daemon.
Common Wrong Answers and Why
"CEF and Syslog connectors require the Azure Monitor Agent (AMA)." This is wrong because AMA does not support CEF; the Log Analytics agent is required for CEF. AMA supports Syslog via DCR, but CEF is not supported. Candidates confuse AMA with the legacy agent.
"Syslog uses TCP 514 by default." The default is UDP 514. TCP 514 is an option but not default. The exam tests default values.
"The CommonSecurityLog table is used for both CEF and Syslog." Incorrect. CEF maps to CommonSecurityLog; plain Syslog maps to Syslog table. Some devices send CEF inside Syslog, but the connector detects the CEF prefix and routes accordingly.
"You can configure the log forwarder on Windows only." Linux is recommended, but Windows is also supported. However, the exam emphasizes Linux as the typical deployment.
Specific Numbers and Terms
Default Syslog port: UDP 514.
Default CEF port: TCP 514 (often, but configurable).
Maximum UDP message size: 64 KB (but practical limit is 1024 bytes for Syslog).
Sentinel ingestion rate limit: 5 MB/s per workspace.
Agent batch interval: 30 seconds (default).
Agent batch size: 2 MB (default).
CEF version: currently 0 (CEF:0).
Severity levels: 0-10 (0=low, 10=high) in CEF.
Edge Cases and Exceptions
If a device sends CEF over UDP, the message may be fragmented; the connector may not reassemble correctly. TCP is recommended.
Custom parsers: if the device uses a non-standard CEF extension, the connector may not parse all fields. You may need to create a custom KQL function.
Multiple log forwarders: you can have multiple forwarders sending to the same workspace. Each forwarder must have a unique hostname to avoid conflicts.
High availability: use load balancers in front of multiple forwarders for redundancy.
How to Eliminate Wrong Answers
If the question mentions "CEF", the answer must involve the Log Analytics agent (not AMA).
If the question asks about default protocol, UDP is the answer for Syslog.
If the question asks about table name, CommonSecurityLog is for CEF, Syslog is for Syslog.
If the question involves troubleshooting, check the agent logs first (omsagent.log).
CEF connector uses Log Analytics agent (not AMA) and maps logs to CommonSecurityLog table.
Syslog connector default port is UDP 514; TCP 514 and 6514 (TLS) are optional.
CEF format: CEF:Version|Vendor|Product|Version|SignatureID|Name|Severity|[Extension].
Log forwarder recommended on Linux; verify with omsadmin.sh and tcpdump.
Sentinel ingestion rate limit: 5 MB/s per workspace; use filtering or multiple workspaces for high volume.
Common troubleshooting: check agent logs at /var/opt/microsoft/omsagent/log/omsagent.log.
For high reliability, use TCP with TLS and ensure NTP synchronization.
Custom parsing may be needed for non-standard CEF extensions; use KQL functions.
These come up on the exam all the time. Here's how to tell them apart.
Log Analytics Agent (Legacy)
Supports CEF parsing natively
Requires manual installation on log forwarder
Configuration via Sentinel connector page or scripts
Default batch interval 30 seconds, batch size 2 MB
Deprecated for new deployments but still needed for CEF
Azure Monitor Agent (AMA)
Does not support CEF; only Syslog via DCR
Managed by Data Collection Rules (DCRs)
Configuration via Azure Policy or DCRs
No built-in CEF parser; custom KQL needed
Recommended for new Syslog-only deployments
Mistake
CEF and Syslog connectors require the Azure Monitor Agent (AMA).
Correct
AMA does not support CEF; the Log Analytics agent is required for CEF. AMA can ingest Syslog via Data Collection Rules, but CEF parsing is not available. The SC-200 exam tests this distinction.
Mistake
Syslog always uses TCP port 514.
Correct
The default Syslog protocol is UDP port 514. TCP 514 is an optional configuration for reliability. The exam expects you to know the default is UDP.
Mistake
Both CEF and Syslog logs go to the CommonSecurityLog table.
Correct
Only CEF logs go to CommonSecurityLog. Plain Syslog logs go to the Syslog table. The connector detects the CEF prefix to route accordingly.
Mistake
The log forwarder must be a Windows machine.
Correct
Linux is recommended for performance, but Windows is also supported. The exam emphasizes Linux as the typical deployment.
Mistake
CEF messages are always sent over UDP.
Correct
CEF is often sent over TCP to avoid fragmentation. UDP can be used but may lose messages. The exam may test that TCP is preferred for CEF.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The CEF connector is designed to parse Common Event Format logs, which are structured with key=value pairs, and maps them to the CommonSecurityLog table. The Syslog connector ingests standard Syslog messages (RFC 3164/5424) into the Syslog table. Both use the Log Analytics agent on a log forwarder. CEF provides richer field extraction for security appliances like firewalls and IDS/IPS. On the exam, remember that CEF goes to CommonSecurityLog, Syslog goes to Syslog table.
No, AMA does not support CEF parsing. You must use the Log Analytics agent for CEF. AMA can ingest Syslog via Data Collection Rules, but if you need CEF, stick with the legacy agent. The exam may test this distinction to ensure you choose the correct agent type.
Syslog default is UDP 514. CEF is often sent over TCP 514, but the connector can listen on any port. The exam expects you to know UDP 514 for Syslog. For CEF, TCP is recommended but not a default; you configure it on the device and forwarder.
First, verify the log forwarder is receiving logs using tcpdump. Check the agent logs at /var/opt/microsoft/omsagent/log/omsagent.log for errors. Ensure the device is sending to the correct IP and port. Verify the workspace ID and key are correct. Check network connectivity and firewall rules. Also, ensure the Syslog daemon is configured to listen on the correct port and protocol. In Sentinel, query CommonSecurityLog to see if any data arrives.
Sentinel has a per-workspace ingestion rate limit of 5 MB/s. If exceeded, logs are throttled and may be dropped. For high-volume environments, consider filtering logs at the source, using multiple workspaces, or implementing a buffer (e.g., Kafka) to control the rate.
Yes, for production it is recommended to use a dedicated machine (Linux preferred) to avoid resource contention. The forwarder should have sufficient CPU, memory, and network capacity. For high EPS, use multiple forwarders with a load balancer.
The Log Analytics agent has built-in parsers for common devices. For custom fields, you can create a KQL function to parse the Message field or modify the agent's configuration files (e.g., /etc/opt/microsoft/omsagent/conf/omsagent.d/security_events.conf). However, the exam does not require deep customization details; focus on default behavior.
You've just covered CEF and Syslog Connector Configuration — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?