Using Basic Logs for forwarded syslog events?

Copper Contributor



I have set up a Linux log forwarder to send syslog events from various network devices to Sentinel.


I can see these currently are sent to the CommonSecurityLog table in the Log analytics workspace.


For cost saving purposes I would like to be able to send these logs to a new table that uses the Basics Table plan.


Is that possible?  It seems like it should be based on this documentation -


If so, is there a guide anyone can recommend on how to configure the logs to be sent to a new table that uses the Basic log storage plan.


Thanks in advance.


3 Replies
Did you use the AMA, in which case you need to swicth the DCR rue to send the data to a Custom Table rather than CommonSecurityLog?

Basic Logs only supports a few named Tables (not CommonSecurityLog)
No it is not using the AMA, it is using the Log Analytics/OMS agent as that is deployed via the scripts in the MS guide here:

I'll certainly look into replacing this with the AMA if it helps me achieve what I want here.
best response confirmed by Antony Paul (Copper Contributor)
I would recommend the AMA, the OMS becomes end-of-life on August 31st 2024.