syslog forwards messages to Log Analytics port number

Question

In this [Connect your external solution using the Common Event Format connector] module it says "Forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226"

but

In this [Plan for syslog data collection] module its says "the installation routine configures the local Syslog daemon to forward messages to the agent on TCP port 25224."

So what port is default configuration when installing the OMS agent?

This question is related to the following Learning Module

Answer 1

Hi jnweaver,

Thank you for reaching out to Microsoft Q & A forum.

The default configuration for the OMS agent for Syslog data collection forwards messages to TCP port 25224. This setup streams Syslog events from Linux-based machines into Microsoft Sentinel via the Azure Monitor Agent for Linux and Data Collection Rules.

However, the Common Event Format connector forwards only CEF-identified messages to the Log Analytics agent on TCP port 25226, indicating a specialized use for CEF-formatted messages, different from general Syslog message forwarding.

To summarize: -
1.General Syslog forwarding: The local Syslog daemon sends messages to the agent on TCP port 25224.
2.CEF-formatted message forwarding: CEF-identified messages are sent to the Log Analytics agent on TCP port 25226.

Thus, when installing the OMS agent for general Syslog data collection, the default port is 25224, while for CEF-specific message forwarding, the port is 25226.

If you have any other concerns, please let us know. We are here to help you.

If the provided solution has helped in resolving the issue, please consider accepting it by clicking on the "Accept answer" button to enhance visibility of this question for other members of the Microsoft Q&A community.

Thank you.