Forum Discussion
AMA Agent - trying to send contents of /var/log/syslog to sentinel
Hello, I have an Ubuntu 20.04 log forwarder that is receiving syslog from a network device. I am using the AMA (even though it is in public preview) as Microsoft recommend, due to the OMS b...
The procedure is a bit different for VMs in Azure vs on-prem.
I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.
For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)
For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.
A very simple test:
On your linux server, type "logger testing123"
In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.
Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.
I have tested this with the latest versions of Redhat And Ubuntu, on both on-prem VMs and in Azure.
For Azure VMs:
- Create a DCF and configure your syslog facilities.
- In Sentinel, you don't need to do anything! (Since the DCR points the data to your workspace.)
For an on-prem VM, just make sure you install the Arc agent first, then create your DCR for syslog.
A very simple test:
On your linux server, type "logger testing123"
In Sentinel > Logs, type "search testing123" . You will see your logs show up in the syslog table in about 5-10 minutes, depending on when you pushed out your DCR.
Only consider AMA/CEF if you are trying to collect CEF logs from somewhere. My most common example is when there is a 3rd party log source like PaloAlto that I want to pull into Sentinel.