Sentinel agent and syslog config

Question

This may be more of a syslog config question than Sentinel: If i install the Sentinel agent on a Linux server and have it forward logs to Sentinel, can syslog also retain a copy of the logs locally on the Linux machine? Or does it just relay them through?

Answer 1

Issue moved to a more appropriate forum - Azure Security.

Answer 2

According to the documentation,

"Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to Azure Monitor where a corresponding record is created."

So if we follow this, the local machine and syslog agent would store the logs. And Sentinel collects those logs. So it looks like you would still have a copy of the logs on the local machine uder /var/log/syslog or /var/log/messages

---

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

Answer 3

I'm following up on this again, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Also please remember to post future questions on the new Q&A Forums here : https://docs.microsoft.com/answers/index.html Thanks

Answer 4

I'm following up on this please let us know if there are anymore questions. As it looks like this issue has been resolved within the scope of the MSDN Thread Question, I will be marking the response as answer. Please let me know if your question has not been answered, and I can go ahead and unmark it as answer or feel free to mark it as unanswer yourself. Also please remember to post future questions on the new Q&A Forums here : https://docs.microsoft.com/answers/index.html Thanks