Forum Discussion

FeintBE's avatar
FeintBE
Copper Contributor
Mar 03, 2020

Azure Sentinel - Logs delay?

Hello,

 

I've connected my windows server with Azure Sentinel via Security events data connector.

A few days ago, the delay of getting logs from windows event manager to Azure sentinel logs was 50 secs, now it is 10 minutes.

 

Any idea on how I can see why it takes so long?

 

Thanks!

  • CliveWatson's avatar
    CliveWatson
    Icon for Microsoft rankMicrosoft
    Mar 03, 2020

    FeintBE 

     

    To the Events table?

     

    Is this all Computers, or just some?  Are they in the same Azure Region as Log Analytics?

     

    Factors that affect latency are discussed here: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time

     

    This query may help to see if its a particular Computer - assuming its the Events table (if not you will need to edit)

     

    Event
| where TimeGenerated > startofday(ago(7day))
| extend E2EIngestionLatency = ingestion_time() - TimeGenerated 
//| extend AgentLatency = _TimeReceived - TimeGenerated 
| summarize 
      ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
    , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2) 
    , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
  by Computer , bin(TimeGenerated, 1d)
| order by ['average E2E IngestionLatency'] desc
//| render timechart

       

      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft
        Mar 03, 2020

        FeintBE 

         

        So your average and minimum look good, but the maximum latency was high yesterday (over 10mins).  I assume that is the same computer (behind the red squiggle)? 

        Was the computer online yesterday, you should get ~60 heartbeats per full minute?

        Heartbeat 
| where Computer startswith "< insert computer name>" 
| where TimeGenerated > ago(1d)
| summarize count() by bin(TimeGenerated,1h)
| render columnchart

         

        Were other computers affected - that would help to rule out Network issues between your machine and Log Analytics?

        Was it the Agent compared to the E2E? 

        SecurityEvent
| where TimeGenerated > startofday(ago(7day))
//| extend E2EIngestionLatency = ingestion_time() - TimeGenerated 
//| extend AgentLatency = _TimeReceived - TimeGenerated 
| summarize 
      ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
    , ['average Agent Latency']        = round(avg(todouble(datetime_diff("Second",_TimeReceived   ,TimeGenerated))/60 ),2) 
  by Computer , bin(TimeGenerated, 1d)
| order by ['average Agent Latency']  desc

Share

Resources