Forum Discussion
What to do with Syslog Forwarder data connectors that are still built on the OMS Agent?
Hello, I'm currently working on deploying the VMware vCenter data connector to a Sentinel workspace. The issue is that, according to the documentation, the data connector will make use of a Syslo...
Ulrik_Klepsch i think the only choice left is to adopt AMA, use azure ARC to make your machine as cloud resource, then push AMA.
Thank you for your insight.
We've decided to also go forward with the AMA agent.
In that case though we won't be using the Data Connector that is included in Content Hub solution, and will instead be ingesting the logs to the Syslog table instead of the vcenter_CL table.
Will then have to update the parser that is included in the solution.
Rod_Trent Will Microsoft be providing updated parser functions that work of the Syslog table instead of XXXXX_CL tables? If yes, is there a roadmap and planned delivery dates?
Thanks
Stephen
If this is also related to VMware vCenter, as was mentioned in my post, then the current parser for the XXXX_CL table is available in Github:
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20vCenter/Parsers/vCenter.yamlIt should be possible to create a Kusto function with this parser logic that is looking at the Syslog table instead of the XXXX_CL table, so the data can be isolated and used in analytics rules.
This is at least what I am planning to do, since with the Data Connector still using the OMS agent, if we are to use the AMA agent then the logs will just come into the Syslog table instead of the XXXX_CL table.
I can imagine the parsers for most other XXXX_CL tables are also available in Github so this can be customized to the Syslog table.