My previous blog posts discussed collecting events from Azure PaaS resources and networking and security sources. But what about collecting from servers? Whether deployed in the cloud, on-prem VMs or even physical machines, those are probably still the biggest attack surface and therefore the most common sources of events.
To collect events from servers wherever those are deployed, use the Azure Log Analytics agent (also called "MMA" for Microsoft Monitoring Agent). The agent supports collecting from Windows machines as well as Linux. The agent can be installed manually or provisioned in Azure using Microsoft VM extensions for Windows or Linux.
Azure Sentinel connectors which utilize the agent
The agent supports the following Sentinel connectors:
The Windows firewall writes logs to files which are collected and sent by the agent when files are rotated. This leads to additional collections latency, which can be controlled by changing the log file size as described here.
The agent caches data, which helps prevent data loss in case of communication issues between the agent and the cloud. The following described this mechanism and how it can be controlled.
Output is controlled by modifying the agentconfiguration files. Specifically, the output configuration file,/etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf . Modify the section below to control the Agent's caching behavior: