Forum Discussion
Not getting logs from Custom Log source
1. 1st check, does your machine that contains the log file have a working MMA on it? You have data from that computer in the Heartbeat table?
2. In Log Analytics the table shows up in the Schema? I think the answer is no?
<name you used>_CL
e.g.
custom_CL | limit 10If the MMA isn't talking to Azure then its likely there is a network issue (often a proxy). Instructions will vary by product and setup to resolve this. Can you put the file on a server that is working?
Microsoft
1. https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306 lists externaldata that you've used.
I like this as the file on Blob is a single thing to maintain centrally, used by many scripts.
2. If you delete the file, externaldata will fail. An alternative is a datatable in each Query https://docs.microsoft.com/en-us/azure/kusto/query/datatableoperator?pivots=azuremonitor - depending on how much data you want to compare and how often it changes, and its unique to each query.
3. Custom log works that way (when files changes/flushes occur), alternatives are: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs
In the cases where your data can't be collected with custom logs, consider the following alternate strategies:
- Use a custom script or other method to write data to Windows Events or Syslog which are collected by Azure Monitor.
- Send the data directly to Azure Monitor using HTTP Data Collector API.
Hi CliveWatson,
How can I append blobs using scripts? I mean if I get some new IOCs then I do not want to manually upload the BLOB. I want a mechanism which can append some data in an exisiting BLOB.
Also, is it possible to get data from an external website and do certain operations and create a BLOB?
Regards,
Mitesh Agrawal
