So the disk got full on my log forwarder server and log forwarding stopped... I expanded the disk and now it has enough space:
However, I cannot see any new events in CommonSecurityLog table since then. I went ahead and reinstalled the OMS agent, but it still doesn't work. There are no heartbeat events either so I guess the problem will be with the OMS agent. The funny thing is that Syslog messages are arriving to Sentinel... When I run the troubleshooter everything is fine except:
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon sudo tac /var/log/syslog Located 0 CEF\ASA messages
But if I run tac /var/log/messages |grep CEF I can see the CEF messages.
I ran netstat/tcpdump and messages are do hitting port 25226.