Forum Discussion
Using Basic Logs for forwarded syslog events?
Hello,
I have set up a Linux log forwarder to send syslog events from various network devices to Sentinel.
I can see these currently are sent to the CommonSecurityLog table in the Log analytics workspace.
For cost saving purposes I would like to be able to send these logs to a new table that uses the Basics Table plan.
Is that possible? It seems like it should be based on this documentation - https://learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases
If so, is there a guide anyone can recommend on how to configure the logs to be sent to a new table that uses the Basic log storage plan.
Thanks in advance.
- I would recommend the AMA, the OMS becomes end-of-life on August 31st 2024.
- Did you use the AMA, in which case you need to swicth the DCR rue to send the data to a Custom Table rather than CommonSecurityLog?
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-text-log?tabs=portal
Basic Logs only supports a few named Tables (not CommonSecurityLog) https://learn.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-configure?tabs=portal-1#when-should-i-use-basic-logs- No it is not using the AMA, it is using the Log Analytics/OMS agent as that is deployed via the scripts in the MS guide here: https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
I'll certainly look into replacing this with the AMA if it helps me achieve what I want here.- I would recommend the AMA, the OMS becomes end-of-life on August 31st 2024.
