for debugging start with using tools like tcpdump on the Ubuntu VM to verify if logs are reaching the server at all. In Sentinel, go to Data connectors and open the Syslog connector. Verify that the selected facilities align with those configured in your rsyslog configuration and Check the Logs tab in the connector and look for errors, using filters if necessary.
Syslog via Legacy Agent Microsoft Sentinel
I have an ubuntu azure vm for our syslog connector that has the Syslog via Legacy Agent connected to it. Many of our resources we have use the syslog connector for sending logs to Sentinel. I had some issues with the connector, but finally resolved them to where logs are flowing into our Sentinel, but only logs pertaining to the Ubuntu vm that the syslog connector is connected to.
For example, we were sending Ubiquiti logs and ThinkstCanary logs, but none of them are showing up now.
Any thoughts or ideas why this would be happening? I've followed all the Microsoft troubleshooting steps, but still only the VM logs are coming in.