This is part of a series of blogs on connectors. You might find what you are looking for also here:
My previous blog posts discussed collecting events from Azure PaaS resources and networking and security sources. But what about collecting from servers? Whether deployed in the cloud, on-prem VMs or even physical machines, those are probably still the biggest attack surface and therefore the most common sources of events.
To collect events from servers wherever those are deployed, use the Azure Log Analytics agent (also called "MMA" for Microsoft Monitoring Agent). The agent supports collecting from Windows machines as well as Linux. The agent can be installed manually or provisioned in Azure using Microsoft VM extensions for Windows or Linux.
The agent supports the following Sentinel connectors:
Once you enabled them through the Sentinel's Data Connectors, they will be collected by every agent configured to send data to the workspace.
However, the agent is not limited to this telemetry, and Azure Sentinel can collect the following additional data streams using the agent:
To collect control and data plane telemtry from containers, including AKS, see Azure Monitor for containers and how to enable it.
For completeness, n addition you can collect on-premises telemetry not using the agent for the following sources:
The agent caches data, which helps prevent data loss in case of communication issues between the agent and the cloud. The following described this mechanism and how it can be controlled.
<match oms.blob.**> type out_oms_blob log_level info num_threads 5 buffer_chunk_limit 10m buffer_type file buffer_path /var/opt/microsoft/omsagent/state/out_oms_blob*.buffer buffer_queue_limit 10 buffer_queue_full_action drop_oldest_chunk flush_interval 20s retry_limit 10 retry_wait 30s max_retry_wait 9m </match>
Key: HKLM\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\<Management Group Name> Value: MaximumQueueSizeKb Default: 15360 Min Value: 5120 Max Value: 1536000
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.