Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Linux VM Image and Size

Silver Contributor

What size linux VM should be created in Azure to collect syslog logs from Cisco Meraki? I can't find anything in the documentation about the image and size requirements for this type of machine. Can someone point me in the right direction?

2 Replies
best response confirmed by VI_Migration (Silver Contributor)
Solution

@Dean Gross the guidance here recommends 8GB ram/4 CPU cores to cover you for up to 8500 events per second. If you are just doing some testing though I don't think it would be an issue if it was smaller though.

 

Deploy a log forwarder to ingest Syslog and CEF logs to Microsoft Sentinel | Microsoft Docs

 

 

(apologies for bumping an old post)

@m_zorich 

 

Is this correct for AMA, too? The linked URL refers to the log analytics/OMS agent on a Linux VM and not the new method which uses AMA.

 

I also see on this page Azure-Sentinel/DataConnectors/Syslog-VMSS-AMA/README.md at master · Azure/Azure-Sentinel · GitHub that the SKU being used by VMs in the scale set is F4s_v2, which is coincidentally 4 vCPUs and 8GB of RAM, though. This page Designs for Accomplishing Microsoft Sentinel Scalable Ingestion - Microsoft Community Hub says that per forwarder, the old agent can handle 8500 EPS and AMA can handle 10,000. 

 

So I guess at least this all implies that 4 vCPU+8GB of RAM is enough per VM?

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

@Dean Gross the guidance here recommends 8GB ram/4 CPU cores to cover you for up to 8500 events per second. If you are just doing some testing though I don't think it would be an issue if it was smaller though.

 

Deploy a log forwarder to ingest Syslog and CEF logs to Microsoft Sentinel | Microsoft Docs

 

 

View solution in original post