Forum Discussion
Solved
AMA agent in linux not sending syslog events
We have installed a Linux machine with AMA agent. We have configured DCR at CEF connector page to ingest CEF logs. While i notice CEF logs are being ingested to Sentinel (CommonSecurityEvent) tab...
- It sounds like you might need a second DCR to collect the Syslog events. One DCR will collect CEF, and the second Syslog.
It sounds like you might need a second DCR to collect the Syslog events. One DCR will collect CEF, and the second Syslog.
- This is right. I just looked at the DCR for CEF, it was sending the logs to CommonSecurityLog. Hence why the Syslog table was empty. Had to create another DCR
- This is correct. However, you will see that if you do this and enable all facilities on the syslog DCR that ALL events will end up in both tables and you will be paying twice for ingest.
- Yeap the dedup can be achieved by modifying the DCR and adding a transformKQL to drop all CEF events . However you still end up paying for some of the dropped the dropped logs as per article: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations
KQL that drops CEF logs:
source |
where ProcessName !contains “\“CEF\””
From: https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog
