Forum Discussion

FeintBE's avatar
FeintBE
Copper Contributor
Mar 03, 2020

Azure Sentinel - Logs delay?

Hello,   I've connected my windows server with Azure Sentinel via Security events data connector. A few days ago, the delay of getting logs from windows event manager to Azure sentinel logs was 50...
CliveWatson's avatar
CliveWatson
Icon for Microsoft rankMicrosoft
Mar 03, 2020

FeintBE 

 

To the Events table?

 

Is this all Computers, or just some?  Are they in the same Azure Region as Log Analytics?

 

Factors that affect latency are discussed here: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time

 

This query may help to see if its a particular Computer - assuming its the Events table (if not you will need to edit)

 

Event
| where TimeGenerated > startofday(ago(7day))
| extend E2EIngestionLatency = ingestion_time() - TimeGenerated 
//| extend AgentLatency = _TimeReceived - TimeGenerated 
| summarize 
      ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
    , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2) 
    , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
  by Computer , bin(TimeGenerated, 1d)
| order by ['average E2E IngestionLatency'] desc
//| render timechart

   

  • FeintBE's avatar
    FeintBE
    Copper Contributor
    Mar 03, 2020

    CliveWatson 

     

    These are the results of the query

    • CliveWatson's avatar
      CliveWatson
      Icon for Microsoft rankMicrosoft
      Mar 03, 2020

      FeintBE 

       

      So your average and minimum look good, but the maximum latency was high yesterday (over 10mins).  I assume that is the same computer (behind the red squiggle)? 

      Was the computer online yesterday, you should get ~60 heartbeats per full minute?

      Heartbeat 
| where Computer startswith "< insert computer name>" 
| where TimeGenerated > ago(1d)
| summarize count() by bin(TimeGenerated,1h)
| render columnchart

       

      Were other computers affected - that would help to rule out Network issues between your machine and Log Analytics?

      Was it the Agent compared to the E2E? 

      SecurityEvent
| where TimeGenerated > startofday(ago(7day))
//| extend E2EIngestionLatency = ingestion_time() - TimeGenerated 
//| extend AgentLatency = _TimeReceived - TimeGenerated 
| summarize 
      ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
    , ['average Agent Latency']        = round(avg(todouble(datetime_diff("Second",_TimeReceived   ,TimeGenerated))/60 ),2) 
  by Computer , bin(TimeGenerated, 1d)
| order by ['average Agent Latency']  desc

Resources