Microsoft Sentinel and log forwarder limitations

Anttu Pekkarinen 0 Reputation points
2023-03-23T13:08:30.3066667+00:00

We are working with customer case related to Sentinel and there are couple of concerns related to log forwarder servers (when collecting syslog or CEF from devices like firewalls):

  • Customer requires that solution must ensure event data collection even when designed capacity limits are exceeded temporarily. (e.g. there is a network outage and after that there comes lot of firewall log data as a burst).
  • Another wish is that there should be a capability to limit network throughput, when buffered data is transferred after a network outage.

Question is how log forwarder handles such situation? Is the log dropped if the EPS limit of log forwarder is reached? Is there any buffer for such situations?

And is there any possibility to limit the throughput if there comes log data as a burst?

All suggestions how to ensure continous data collection and avoid dropping of logs are welcome.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,658 questions
Microsoft Security | Microsoft Sentinel
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 7,866 Reputation points MVP Volunteer Moderator
    2023-03-24T07:02:41.1733333+00:00

    Some of the basics were covered in this recent blog article: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/designs-for-accomplishing-microsoft-sentinel-scalable-ingestion/ba-p/3741516

    With a scale set (VMSS) more forwarders could be added when needed. Azure is very good as scaling to receive bursts into Log Analytics.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.