Forum Discussion

Copper Contributor

Jul 15, 2020

OMSAgent - CEF logs are sent but not appearing in Sentinel

Hi, We are trying to forward CEF logs to Sentinel using an oms-agent instance. We have successfully onboarded the logs at first, but after about an hour, logs stopped appearing. We have turne...

Rod_Trent

Microsoft

Jul 15, 2020

csmits I suspect this might have to do proper parsing. How are your forwarding rules configured on the originating device? What type of device is it? Had something similar happen working with a customer recently which led to this blog post:

https://secureinfra.blog/2020/07/06/tips-for-parsing-syslog-to-azure-sentinel/

csmits
Copper Contributor
Jul 20, 2020
Rod_TrentThanks for the insight. It is a Check Point device, and the "Check Point" connector has turned green and is thus active. I suspect the parsing is okay, because ingestion does happen.
However, it looks like the ingestion is hitting some rate limits. Logs start reappearing every day between 12:00 and 13:00, after which they stop showing for 24 hours. This is a repetitive cycle. I will check back to see what kind of response is sent when data is ingested (the omsagent logs still show: "successfully sent logs").
- Ofer_Shezaf
  Microsoft
  Jul 28, 2020
  csmits : I think such an issue is hard to resolve in the community and is very important for us to resolve. Can you open a support ticket?