Forum Discussion
Ingestion of Custom Logs of Files (Never Updated) in Azure Sentinel
GaryBushey The log file has a single entry per line.
Also, all the other prerequisites are satisfied:
- The log file does not allow circular logging or log rotation (In my case the file is never changed)
- The log file must use ASCII or UTF-8 encoding (In my case the log file uses UTF-8 encoding).
simonepatonico And just to confirm my understanding, when you get a new file added to the folder, you never see its data being uploaded. Is that correct?
GaryBushey yes the data is never uploaded on the Workspace because the file is never changed. I noticed that the agent is using in_tail plugin of fluentd to upload data when new logs are appended to the file.
So my question: How can I upload logs from a file that is never changed with the OMS Agent?
simonepatonico The OMS agent will not upload the data because, as far as it is concerned, the file has never changed.
I am guessing there is no way to tell the program that sends the data to write to a different file each time. I would think you would need to write a bash script to detect when the last modified file date for the file has changed and rename it using the date naming format discussed earlier so that the agent detects it as a new file. Not sure how often the file gets written to so it may be tricky making sure you do not lock the file when it needs to be written to.
- Hi All
how was this resolve?
I have the same issue. I am trying to ingest a log file from Sybase, it's just one file that doesn't change but the log is written to the file every minute. The XXX.log is a per-line format and it meets all the other requirements. I created the sybase_CL and it's not working. is there a workaround?
