We are migrating our onpremise SIEM to Azure Sentinel.
We have 3 forwarding servers with the AMA agent (2 syslog/CEF and 1 Wec).
We want that when a VPN tunnel goes down the agent buffer is able to store at least 10 GB.
Is this possible?
If not, what is the limit and where can we configure them for Linux and Windows agents?
I am not certain if the AMA for Linux buffer can be configured. Much like the MMA, there is a buffer but the details do not appear to be published. I recommend working with your Microsoft support contacts to request more information if possible.