Share via

OMS to AMA Migration – Redirecting Syslog Data to a Custom Table with DCR

heena 0 Reputation points
2025-03-12T17:07:34.0166667+00:00

We are in the process of migrating from OMS to Azure Monitor Agent (AMA) and have encountered challenges in redirecting Syslog data to a custom table using Data Collection Rules (DCR).Current Setup:

  • Logs are currently being ingested into the default Syslog table in the Log Analytics workspace.
  • The logs are produced by WAF in CEF format via Syslog and are configured using Linux-syslog in the DCR configuration.

Issue:

  • Despite multiple attempts and referring to Microsoft documentation, we have not been able to successfully redirect logs to our custom table using DCR with AMA.
  • Based on Microsoft's documentation, it appears that custom logs are only supported from text log files or JSON files, and there is no option to define a custom schema for Linux Syslogs.

Questions:

  1. Is there a supported method to ingest Syslog data directly into a custom table using DCR with AMA?
  2. If not, is the only alternative to forward logs to custom table?
  3. Are there any upcoming changes or workarounds that would allow direct ingestion of Syslog data into custom tables using AMA?

Any insights or recommendations would be greatly appreciated. Thank you!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,662 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator
    2025-03-14T15:19:46.1966667+00:00

    Hi @heena

    1.Currently, there is no supported method to ingest Syslog data directly into a custom table using Data Collection Rules (DCR) with the Azure Monitor Agent (AMA). The documentation outlines that custom logs are primarily supported from text log files or JSON files, and unfortunately, there is no option to define a custom schema for Linux Syslogs at this time.

    2.As an alternative, you can forward your Syslog data to a custom table. This would involve setting up a mechanism to redirect the logs appropriately, allowing you to work around the limitation of direct ingestion.

    3.Regarding any potential changes or future workarounds, the current documentation does not mention any updates that would allow direct ingestion of Syslog data into custom tables via AMA. You might want to keep an eye on future updates or announcements from Azure Monitor for any changes.

    https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview
    https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview#collection-of-syslog-and-cef-messages-with-ama

    let us know if any help, we will always help as you needed.!

    Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.