Dec 27 2022 03:28 AM
We were receiving logs from a particular log source (Cloudflare Firewall logs) into Sentinel using Sentinel's built-in data connectors. (The data connector was automatically deployed using ARM Template.)
Few days ago we made some configuration changes on the log source so that the logs would be pushed into Sentinel when matching certain criteria ( for example when they are associated with a particular host). But, after those config changes, the data connector stoped ingesting logs into the table. The logs are still being pushed into the storage container on Azure and are being consistently updated, but the are not being pushed into the log table. We even tried to reverse the changes on the source side so that logs would be exactly the same as before, but the problem still persists.
Trying to reconfigure the data connector by redeploying it using ARM Template also didn't help.
We would appreciate it if anybody could assist us on this urgent issue.
Jan 01 2023 10:06 AM
Hello @ParsaZ,
This connector is under Preview and there can be bugs with it.
Did you create a new Storage Account for the new Data connector?
Jan 04 2023 01:03 AM
@mikhailf Yes. We tried 2 different storage account. But it problem is the same. The logs are being pushed into them. But, there is no log in the Cloudflare_CL table even after automatic deployment of the data connector using ARM template. We reverted the changes on the log source and even created new low push jobs on the source, but the issue persists and the logs do not appear in the log table.
Jan 04 2023 05:37 AM
Hello @ParsaZ,
By deploying the data connector you deploy Azure Function. Please, find this function and under "Overview" verify that the Function Execution Count is not 0.
Jan 04 2023 07:37 AM
Jan 05 2023 02:19 AM - edited Jan 05 2023 02:47 AM
We created another container specifically for the firewall logs. The logs are being pushed in the container but again, not in the log table. And as we check the related function app's execution count, it is more than 0. But still no logs.