@Jody Petroni Thanks for reaching out.
When you install the Azure monitor agents for the machines you choose, they create a tunnel to the Log analytic workspace that you have for sentinel. All the logs collected at device end is cached on the local machine at C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State before it's sent to Azure Monitor. The agent attempts to upload every 20 seconds. If it fails, it will wait an exponentially increasing length of time until it succeeds. It will wait 30 seconds before the second attempt, 60 seconds before the next, 120 seconds, and so on to a maximum of 8.5 hours between retries until it successfully connects again. This wait time is slightly randomized to avoid all agents simultaneously attempting connection. Oldest data is discarded when the maximum buffer is reached.
The default cache size is 50 MB but can be configured between a minimum of 5 MB and maximum of 1.5 GB. It's stored in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Persistence Cache Maximum. The value represents the number of pages, with 8 KB per page.
The option you set for data collection, for relevant logs like Common, minimal etc are added in configuration file for the agent. the agent then communicates with the windows WMI to query those events under event viewer and captures those information which are required and is then processed further like I mentioned above.
Let me know if this helps. Feel free to reach out if there is anything I can help with.
-----------------------------------------------------------------------------------------------------------------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.