Forum Discussion
Linux VM Image and Size
What size linux VM should be created in Azure to collect syslog logs from Cisco Meraki? I can't find anything in the documentation about the image and size requirements for this type of machine. Can someone point me in the right direction?
Dean_Gross the guidance here recommends 8GB ram/4 CPU cores to cover you for up to 8500 events per second. If you are just doing some testing though I don't think it would be an issue if it was smaller though.
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
2 Replies
Dean_Gross the guidance here recommends 8GB ram/4 CPU cores to cover you for up to 8500 events per second. If you are just doing some testing though I don't think it would be an issue if it was smaller though.
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
(apologies for bumping an old post)
Is this correct for AMA, too? The linked URL refers to the log analytics/OMS agent on a Linux VM and not the new method which uses AMA.
I also see on this page https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Syslog-VMSS-AMA/README.md that the SKU being used by VMs in the scale set is F4s_v2, which is coincidentally 4 vCPUs and 8GB of RAM, though. This page Designs for Accomplishing Microsoft Sentinel Scalable Ingestion - Microsoft Community Hub says that per forwarder, the old agent can handle 8500 EPS and AMA can handle 10,000.
So I guess at least this all implies that 4 vCPU+8GB of RAM is enough per VM?
