Need Help with Syslog/CEF via AMA Setup – Logs Reaching Syslog Server but Not Showing in Sentinel

Question

Need Help with Syslog/CEF via AMA Setup – Logs Reaching Syslog Server but Not Showing in Sentinel

Koushik A R 20

Question:

Hi Community,

We’re working on forwarding logs from a non-Azure environment (YoTTA Cloud) to Microsoft Sentinel, and need help finalizing the setup.

🖥️ Environment Overview:

Cloud: YoTTA Cloud

17 Linux servers used for different roles

Logs from all servers are being forwarded to a central syslog server (also in YoTTA Cloud)

The syslog server is a non-Azure VM, onboarded via Azure Arc

Our goal: Send logs to Microsoft Sentinel using AMA agent and either:

CEF via AMA data connector, or Syslog via AMA data connector

✅ What’s Working:

Logs are successfully reaching the syslog server
AMA agent is installed and shows heartbeat in Azure
Azure Arc shows the syslog server as connected

❌ What’s Not Working:

We tried both forwarding methods:

CEF via AMA Data Connector

Connector status: Connected
Issue: No logs are appearing in the CommonSecurityLog table

Syslog via AMA Data Connector

Connector status: Disconnected
Issue: No logs in the Syslog table

❓What We Need Help With:

We’re looking for guidance to correctly complete the setup and ensure:

Logs from remote Linux servers → syslog server → Sentinel (via AMA) are flowing as expected
Connector status is healthy
Logs are visible in either CommonSecurityLog or Syslog table

Can someone please help review our setup and suggest any required configuration or validation steps to make this work?

Thanks in advance!

Ashok Gandhi Kotnana 10,350 Reputation points Microsoft External Staff Moderator

2025-05-16T13:22:35.1333333+00:00
Hi @Koushik A R ,

Verify AMA Agent Configuration: Since the AMA agent is installed and shows heartbeat in Azure, it indicates that the agent is running. However, the logs aren't showing up in Sentinel, which suggests that the configuration might need some adjustments.

Check AMA Agent Log Collection Configuration: Log collection settings: In Azure Portal, go to your syslog server (under Azure Arc), and make sure that the AMA agent is configured to collect the logs you want.

In the Azure Arc configuration for the server, go to Data collection (or the Azure Monitor section).

Ensure that the appropriate log types are selected e.g Syslog or CEF

For Syslog, ensure it's set to collect logs from the var log directory (or the directory where your syslog logs are stored).

Ensure that CommonSecurityLog is selected in the configuration for CEF logs (if you’re using the CEF format).

2. Double-Check Syslog Configuration on the Syslog Server:

A. Syslog Server Forwarding (for Syslog Connector) For the Syslog connector to work correctly, your syslog server needs to forward logs to the AMA agent. Here’s what to check:

Configuration file: Review the configuration of your syslog server etc rsyslog.conf or etc syslogng.conf to ensure that logs are being forwarded to the local AMA agent.

The forwarding rule should look something like:

127.0.0.1:25224

Here, 127.0.0.1:25224 is where the AMA agent listens by default. Ensure that the correct port is specified

Restart syslog service after making any changes to ensure logs are being forwarded.

B. Syslog Server for CEF for CEF Connector For CEF format:

If you're using CEF, confirm that your syslog server is configured to output logs in CEF format. You might need to modify the syslog configuration or use a tool that converts syslog messages to CEF, such as rsyslog with the CEF module.

3. Validate Log Collection Settings in Sentinel: After configuring the syslog server and AMA agent, you need to ensure that Sentinel is properly set up to receive and display the logs.

A. Syslog Data Connector (Syslog Connector Status Disconnected) The Syslog connector status is showing as disconnected, which means there's an issue with the flow of logs from the syslog server to Sentinel. Here's how to troubleshoot:

AMA Agent Status: Verify the AMA agent is correctly configured to forward syslog logs. You can check the agent logs for any issues by running:

sudo tail -f var log azure Microsoft.OSTCExtensions CustomScriptForLinux handler.log

This might give you insights into any errors that prevent the agent from forwarding logs.

Firewall and Network Access: Ensure that the syslog server can reach the necessary Azure endpoints. For the AMA agent to forward logs to Sentinel, it needs internet access to communicate with Azure. (usually over HTTPS, port 443).

Recheck the Configuration:

Go to Azure Sentinel → Configuration → Data connectors → Syslog.

Ensure that the Syslog connector is set up to receive data from the correct source and port.

Verify that the AMA agent is selected in the configuration.

Ensure that Syslog format is set up correctly, and any additional fields are properly mapped.

B. CEF Data Connector No Logs in CommonSecurityLog Table If you're using the CEF format, follow these steps:

Data Connector Configuration: Ensure that the CEF data connector is enabled in Sentinel and correctly configured.

CEF Log Format Validation: Use the CEF header in the logs to validate that they are indeed in CEF format. You can check the logs in the syslog server to ensure that they are being properly formatted as CEF.

Azure Logs: On the syslog server, try to manually check whether logs are being forwarded to the AMA agent. This will help verify that the syslog server is properly formatting and forwarding logs to Sentinel

4. Test Log Flow and Troubleshooting

Test Syslog Flow: Generate test logs on the syslog server, and check whether they are being forwarded correctly.

Run a test syslog message and check if it shows up in Sentinel after a few minutes.

Use logger to send a test message, for example:

logger -p local0.info Test log message

Check AMA Agent Logs: Review the AMA agent logs to ensure it's properly collecting and forwarding logs. You can use the following command to check the AMA agent's logs:

sudo tail -f var log azure azuremonitoragent.log

Look for any errors or warning messages.

Sentinel Logs: Check the Logs section in Sentinel to see if there are any messages related to the syslog or CEF connector (e.g., connection attempts, errors, etc.). You can search for the logs to confirm whether they are ingested.

Final Validation Healthy Connector Status: After ensuring the syslog forwarding and AMA agent setup are correct, the Syslog connector should show as connected, and logs should flow to Sentinel.

Logs in CommonSecurityLog or Syslog Table: Once everything is configured, logs should start appearing in CommonSecurityLog (if using CEF) or Syslog (if using Syslog) tables in Sentinel. You can verify by running queries like:

For Syslog: Syslog | limit 10 For CEF: CommonSecurityLog | limit 10

If you have a moment, please do upvote it if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.

Thank you.
Ashok Gandhi Kotnana 10,350 Reputation points Microsoft External Staff Moderator

2025-05-19T08:31:05.3833333+00:00

Hi @Koushik A R

I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do upvote it if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.

Thank you.
Koushik A R 20 Reputation points

2025-05-19T09:24:57.63+00:00

Hey Ashok, Thanks for providing detailed solution for troubleshooting Syslog/CEF via AMA. However after doing everything, still the connector is disconnected. At this point we would like to configure only syslog via AMA and not CEF. Our setup-up details:- We have latest AMA agent (v1.35.1)) installed on non azure ubuntu 22.04.4 LTS VM onboarded via Azure Arc, with DCR and DCE properly configured using Linux syslog as Data source. Logs are successfully received in/var Attempts to forward syslog using both **. * @*127.0.0.1:25224 and *. * @@/dev/ama-logs; RSYSLOG_SyslogProtocol23Format lines in the config file did not resolve the issue. So could you please help us with this? If possible, we'd appreciate the opportunity to connect and discuss this further. Thank you
Ashok Gandhi Kotnana 10,350 Reputation points Microsoft External Staff Moderator

2025-05-19T10:15:43.2366667+00:00

Hi @Koushik A R ,

I have reached out to you in a private message
Bathini Harshitha 5 Reputation points Microsoft External Staff Moderator

2025-05-27T16:30:47.99+00:00

Hi Koushik A R

Since you are using AMA version 1.35.1 on an Azure Arc-enabled Ubuntu 22.04.4 VM, forwarding syslog to 127.0.0.1:25224 or /dev/ama-logs are no longer valid for Syslog ingestion in this AMA version.

Instead, update your rsyslog configuration to send logs over TCP to 127.0.0.1:28330 using the below line

*.* @@127.0.0.1:28330;RSYSLOG_SyslogProtocol23Format,

once updated, then restart rsyslog using sudo systemctl restart rsyslog, and finally verify that the Azure Monitor Agent is listening on port 28330 by running sudo netstat -tulnp | grep 28330, which should show a LISTEN entry bound to 127.0.0.1:28330 by the azuremonitoragent process.

Confirm the DCR is correctly associated with the Arc-enabled VM and configured for LinuxSyslog to get the connector to show 'Connected' and start receiving logs in Sentinel.

Syslog and CEF AMA connectors

Please do not forget to “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Koushik A R 20 Reputation points

2025-05-28T06:34:38.6033333+00:00

Hi Bathini Harshitha,

Thank you for your response.

I tried the method you mentioned above but still the connector status is showing disconnected and logs are not forwarding from syslog to sentinel.

If possible, can we connect over a call to discuss this further to resolve the issue?

Thank you.
Bathini Harshitha 5 Reputation points Microsoft External Staff Moderator

2025-05-28T11:28:02.9566667+00:00

Hi Koushik A R,

I had reached out to you in a private message, Please check.

Accepted answer

0 additional answers

Your answer

Ashok Gandhi Kotnana 10,350 Reputation points Microsoft External Staff Moderator

2025-05-19T08:31:05.3833333+00:00

Hi @Koushik A R

I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do upvote it if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.

Thank you.
Koushik A R 20 Reputation points

2025-05-19T09:24:57.63+00:00

Hey Ashok, Thanks for providing detailed solution for troubleshooting Syslog/CEF via AMA. However after doing everything, still the connector is disconnected. At this point we would like to configure only syslog via AMA and not CEF. Our setup-up details:- We have latest AMA agent (v1.35.1)) installed on non azure ubuntu 22.04.4 LTS VM onboarded via Azure Arc, with DCR and DCE properly configured using Linux syslog as Data source. Logs are successfully received in/var Attempts to forward syslog using both **. * @*127.0.0.1:25224 and *. * @@/dev/ama-logs; RSYSLOG_SyslogProtocol23Format lines in the config file did not resolve the issue. So could you please help us with this? If possible, we'd appreciate the opportunity to connect and discuss this further. Thank you
Ashok Gandhi Kotnana 10,350 Reputation points Microsoft External Staff Moderator

2025-05-19T10:15:43.2366667+00:00

Hi @Koushik A R ,

I have reached out to you in a private message
Bathini Harshitha 5 Reputation points Microsoft External Staff Moderator

2025-05-27T16:30:47.99+00:00

Hi Koushik A R

Since you are using AMA version 1.35.1 on an Azure Arc-enabled Ubuntu 22.04.4 VM, forwarding syslog to 127.0.0.1:25224 or /dev/ama-logs are no longer valid for Syslog ingestion in this AMA version.

Instead, update your rsyslog configuration to send logs over TCP to 127.0.0.1:28330 using the below line

*.* @@127.0.0.1:28330;RSYSLOG_SyslogProtocol23Format,

once updated, then restart rsyslog using sudo systemctl restart rsyslog, and finally verify that the Azure Monitor Agent is listening on port 28330 by running sudo netstat -tulnp | grep 28330, which should show a LISTEN entry bound to 127.0.0.1:28330 by the azuremonitoragent process.

Confirm the DCR is correctly associated with the Arc-enabled VM and configured for LinuxSyslog to get the connector to show 'Connected' and start receiving logs in Sentinel.

Syslog and CEF AMA connectors

Please do not forget to “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Koushik A R 20 Reputation points

2025-05-28T06:34:38.6033333+00:00

Hi Bathini Harshitha,

Thank you for your response.

I tried the method you mentioned above but still the connector status is showing disconnected and logs are not forwarding from syslog to sentinel.

If possible, can we connect over a call to discuss this further to resolve the issue?

Thank you.
Bathini Harshitha 5 Reputation points Microsoft External Staff Moderator

2025-05-28T11:28:02.9566667+00:00

Hi Koushik A R,

I had reached out to you in a private message, Please check.

Answer 1

@Koushik A R Thank you for your time and patience over the call! Below is the summary of troubleshooting steps followed to resolve the issue.

Issue: Syslog/CEF via AMA Setup – Logs Reaching Syslog Server but Not Showing in Sentinel -Preventing an Ubuntu Linux Server (24.04.2 LTS) from sending Syslog data to Azure Monitor - Log Analytics Workspace / Sentinel.

Cause: The primary issues stemmed from misconfigurations in the local rsyslog service and Azure Monitor components.

Resolution/Corrective actions:

Restoring critical rsyslog configurations: The /etc/rsyslog.conf file was updated to include $IncludeConfig /etc/rsyslog.d/*.conf, ensuring additional configurations, including the Azure Monitor Agent's (AMA) settings, were processed. Additionally, the missing /etc/rsyslog.d/50-default.conf file, crucial for default telemetry processing, was restored.
Correcting Azure Data Collection Rule (DCR) and Updating Azure Monitor Agent: An unnecessary Data Collection Endpoint (DCE) was removed from the Syslog DCR. The Azure Monitor Agent Extension on the Linux server was updated to the latest version. Validation confirmed the Azure Arc Agent (azcmagent) was connected and communicating with Azure Monitor REST API Endpoints. The DCR was verified to have the correct facilities, severity levels, and the target Linux server assigned as a resource.
Network and Service Validation: Network connectivity was confirmed by ensuring rsyslog was listening on TCP/UDP port 514 (netstat -peanutl) and that the imudp / imtcp modules were enabled in /etc/rsyslog.conf. Traffic analysis using tcpdump validated incoming Syslog data from client systems on network interface (enslp0) and outgoing telemetry to Azure Monitor via the local loopback interface on the hairpin port (28330).

These combined actions rectified the Syslog forwarding failures, enabling successful data ingestion into Azure Monitor.

If the response helped, do "Accept Answer" and up-vote it

Koushik A R 20 Reputation points

2025-06-05T07:35:46.6766667+00:00

Hi, thank you for connecting with me and helping to resolve this issue. After following the troubleshooting steps, we are now successfully receiving logs in the Sentinel Syslog table. We're also able to add analytics rules to detect and remediate any threats. Thank you once again for your time.
SadiqhAhmed-MSFT 49,331 Reputation points Microsoft Employee Moderator

2025-06-05T08:35:20.3866667+00:00

@Koushik A R Thanks for confirming resolution. Glad to know the issue is resolved and the solution is working as expected.

Share via

Need Help with Syslog/CEF via AMA Setup – Logs Reaching Syslog Server but Not Showing in Sentinel

0 additional answers

Your answer