Forum Discussion

FeintBE's avatar
FeintBE
Copper Contributor
Mar 03, 2020

Azure Sentinel - Logs delay?

Hello,

 

I've connected my windows server with Azure Sentinel via Security events data connector.

A few days ago, the delay of getting logs from windows event manager to Azure sentinel logs was 50 secs, now it is 10 minutes.

 

Any idea on how I can see why it takes so long?

 

Thanks!

  • FeintBE 

     

    To the Events table?

     

    Is this all Computers, or just some?  Are they in the same Azure Region as Log Analytics?

     

    Factors that affect latency are discussed here: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time

     

    This query may help to see if its a particular Computer - assuming its the Events table (if not you will need to edit)

     

    Event
    | where TimeGenerated > startofday(ago(7day))
    | extend E2EIngestionLatency = ingestion_time() - TimeGenerated 
    //| extend AgentLatency = _TimeReceived - TimeGenerated 
    | summarize 
          ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
        , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2) 
        , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
      by Computer , bin(TimeGenerated, 1d)
    | order by ['average E2E IngestionLatency'] desc
    //| render timechart  

       

      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft

        FeintBE 

         

        So your average and minimum look good, but the maximum latency was high yesterday (over 10mins).  I assume that is the same computer (behind the red squiggle)? 

        Was the computer online yesterday, you should get ~60 heartbeats per full minute?

        Heartbeat 
        | where Computer startswith "< insert computer name>" 
        | where TimeGenerated > ago(1d)
        | summarize count() by bin(TimeGenerated,1h)
        | render columnchart 

         

        Were other computers affected - that would help to rule out Network issues between your machine and Log Analytics?

        Was it the Agent compared to the E2E? 

        SecurityEvent
        | where TimeGenerated > startofday(ago(7day))
        //| extend E2EIngestionLatency = ingestion_time() - TimeGenerated 
        //| extend AgentLatency = _TimeReceived - TimeGenerated 
        | summarize 
              ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
            , ['average Agent Latency']        = round(avg(todouble(datetime_diff("Second",_TimeReceived   ,TimeGenerated))/60 ),2) 
          by Computer , bin(TimeGenerated, 1d)
        | order by ['average Agent Latency']  desc

Resources