Hi jnweaver,
Thank you for reaching out to Microsoft Q & A forum.
The default configuration for the OMS agent for Syslog data collection forwards messages to TCP port 25224. This setup streams Syslog events from Linux-based machines into Microsoft Sentinel via the Azure Monitor Agent for Linux and Data Collection Rules.
However, the Common Event Format connector forwards only CEF-identified messages to the Log Analytics agent on TCP port 25226, indicating a specialized use for CEF-formatted messages, different from general Syslog message forwarding.
To summarize: -
1.General Syslog forwarding: The local Syslog daemon sends messages to the agent on TCP port 25224.
2.CEF-formatted message forwarding: CEF-identified messages are sent to the Log Analytics agent on TCP port 25226.
Thus, when installing the OMS agent for general Syslog data collection, the default port is 25224, while for CEF-specific message forwarding, the port is 25226.
If you have any other concerns, please let us know. We are here to help you.
If the provided solution has helped in resolving the issue, please consider accepting it by clicking on the "Accept answer" button to enhance visibility of this question for other members of the Microsoft Q&A community.
Thank you.