How do I configure Linux servers for free cloud defender plan 2 ingestion

Question

Hi, I'm trying to create a DCR to forward Linux logs to "LinuxAuditLog" table of log analytics as part of my free 500mb plan 2 ingestion.
However in the DCR wizard I can only select syslog, which I understand is sent to the "syslog" table in log analytics and does not qualify for free 500mb ingestion.

The robot has told me to get round this i need to deploy a DCR using JSON template. I have tried to do this and get the following error:

Json Extract referencing "stream":

 "type": "Microsoft.Insights/dataCollectionRules",

  "apiVersion": "2022-06-01",

  "name": "[parameters('dcrName')]",

  "location": "[parameters('location')]",

  "properties": {

    "dataSources": {

      "linuxAuditLogs": [

        {

          "name": "linux-auditd-src",

          "streams": [ "LinuxAuditLog" ],

          "state": "Enabled"

        }

Deployment Error:

InvalidStream: 'LinuxAuditLog' must be a custom stream or one of the allowed streams.

copilot response:
In short, the Linux Audit stream isn’t currently accepted by the DCR API in your region/tenant, so the ARM template with linuxAuditLogs → LinuxAuditLog failed preflight validation. The public portal only exposes Linux Syslog as a Linux data source today, and Microsoft’s docs for the wizard likewise only show the Syslog option (not Linux Audit) for Linux DCRs.

At the same time, Microsoft’s Defender for Servers Plan 2 documentation still lists LinuxAuditLog as one of the tables eligible for the 500 MB/day per-server free ingestion—but that benefit only applies if your logs actually land in that table (not Syslog).

So you’ve hit a real-world mismatch: benefit mentions LinuxAuditLog, but the DCR UI/API you have won’t let you create that stream (hence the “InvalidStream” error).

Documentation seems centered around Windows approach but limited for Linux. Anyone know what i need to do to get this working against my free ingestion limit.

Answer 1

Hello Ash Roberts

The most frequent cause of an empty LinuxAuditLog table when Defender for Servers Plan 2 is enabled, AMA is auto-provisioned, and there are no custom DCRs is that auditd is not installed, not operating, or not creating events on the Linux virtual machine. Defender just gathers previously audited output; it doesn't generate audit rules. Please confirm: 1. The auditd service is active. 2. There are audit rules (auditctl -l). 3. Local events are being produced (ausearch).

Even if Microsoft Defender for Cloud is configured correctly, nothing will show up in LinuxAuditLog if auditd isn't generating logs.

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

To set up Linux servers for the free Defender for Servers Plan 2 ingestion and forward logs to the LinuxAuditLog table, you are encountering a limitation with the Data Collection Rule (DCR) API. Currently, the DCR wizard only permits the selection of Linux Syslog as a data source, which directs logs to the Syslog table and does not qualify for the free 500 MB ingestion benefit.

The error message you received indicates that the LinuxAuditLog stream is not recognized by the DCR API in your region or tenant. This situation reflects a discrepancy where the documentation lists the LinuxAuditLog table as eligible for free ingestion, yet the DCR interface does not allow for the creation of a stream for it.

At this moment, the only available option is to utilize the Linux Syslog data source for your DCR. However, this will not enable you to access the free ingestion benefit for the LinuxAuditLog table. Unfortunately, there is no current workaround to configure the LinuxAuditLog stream through the DCR API.

It may be beneficial to monitor updates from Microsoft regarding future support for the LinuxAuditLog stream in the DCR API or to contact Microsoft support for additional guidance.