question

Eduards-6654 avatar image
0 Votes"
Eduards-6654 asked Eduards-6654 answered

Azure Sentinel custom logs ingestion Linux *.csv

Hello,

We configure Azure Sentinel and wanted to send custom .csv log files from Linux VM. I installed MMA (OMS) agent on linux VM then i created custom logs by adding sample .csv file and configured it for "/root/server/*.csv" location.

After some time I run my created custom_CL and there are no entries. Data from linux VM is not delivered to log analytics workspace.


We done everything based on documentation:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-custom-logs

What could be the cause?

Format used - yyyy-MM-ddTHH:mm:ssK

microsoft-sentinel
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is there any log from syslog related to your job? There should be one that would tell you something useful for troubleshooting. Please share more.

0 Votes 0 ·

Custom log location is specified in log analytics workspace where i include path where this files are located. There is no related log base on this action.

0 Votes 0 ·

1 Answer

Eduards-6654 avatar image
0 Votes"
Eduards-6654 answered

Problem was that Azure Sentinel didn't track any changes to *.csv file. After there was generated new file, based on my custom log settings everything come to Log Analytics.

Later I parsed this data and everything is fine.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.