Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Feeding Syslog into Sentinel with custom settings

Copper Contributor

Greetings! 

 

I have 20 some odd systems out in Azure that are feeding Sentinel via syslog agents on the individual systems & the syslog data connector. The end result is the Syslog table and I have crafted custom KQL queries and have have great success finding things that go bump in the night. 

 

Here's my issue/question : syslog by its very nature creates a lot of data to store. Lots of events. Not all of my servers need to be sending all of their syslog events to Sentinel. I'm trying to be cost conscious while at the same time having good data on hand and available for research when needed. What I would like to do is to customize the rsyslog configuration on specific systems to limit what is sent back to Sentinel.

According to https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-syslog I can do this by modifying /etc/rsyslog.d/95-omsagent.conf on the individual machines to my liking, however it also says that I must make a change in the agents configuration page:

"By default, all configuration changes are automatically pushed to all agents. If you want to configure Syslog manually on each Linux agent, then uncheck the box Apply below configuration to my machines."

I do not see this checkbox anywhere on the Agents Configuration page. The docs that I am reading do seem to be dated as their screen sots do not match up with what I see on a daily basis. 

Does anyone know where this checkbox/option is located currently? 

 

Thanks! 

 

0 Replies