Forum Discussion
Dataloss in transfer between syslog and Azure LogAnalytics
We're experiencing an issue where we lose data between our syslog server data and the results in Sentinels LogAnalytics. Our configuration writes syslog messages to a file /var/syslog_data. This ...
reda21 That's odd, but I wonder about your format.
What process(es) are writing to "/var/syslog_data"? It may make more sense to configure the connector (OMS Agent) to read /var/syslog_data as a Custom Log versus send it in via syslog? If you do it that way you can see if the issue is with rsyslog forwarding the data, Sentinel assuming everything in /var/syslog_data is in syslog format, and if the problem is between your host and Azure. You can compare the size of the new data table (_CL table) to the number of lines in the /var/syslog_data file and see if any are lost between your site and Sentinel.
JKatzmandu thanks for your reply, could you guid me to any information options or documentation which have info on how to configure the OMS agent to read the file directly?
reda21 Once the agent is installed (which it is) you tell it to read a flat log file. It's basically like this:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs
