none
Troubleshooting syslog connection to Sentinel/Log Analytics RRS feed

  • Question

  • I have followed the process described for establishing a syslog data connector. My Linux syslog gateway has downloaded the omsagent. I can see syslog entries being logged on the syslog server. When i run the Python script cef_troubleshoot.py it confirms that rsyslog and omsagents look correct. But then it exits with an error "TypeError: a bytes-like object is required, not 'str'"

    Because this script exited, i havent been able to confirm that the omsagent is sending data to Sentinel.  In the Azure Portal, there is no data connector indicated to be active using CEF.  Is there any more detailed troubleshooting instructions available from Microsoft for the omsagent?

    EDIT: On the Linux server, looking in /var/opt/microsoft/omsagent/log/omsagent.log i see entries from syslog.  However each is prefixed with "[warn]: pattern not match:"

    Would that mean that the expected CEF format of the logs is not being met?

    EDIT: There was an error in the CEF format being sent by my system. Once the format was corrected, all came good.



    • Edited by Jim McGrady Thursday, November 7, 2019 5:44 AM
    Thursday, November 7, 2019 3:43 AM

All replies

  • Hello Jim, from your last update/edit above, I assume this issue is resolved. kindly confirm?

    If issue persists, please use these steps to raise a support ticket with our Azure support channel.

    Important note: Troubleshooting syslog connectivity to Sentinel requires access to your subscription and tenant IDs. These are classified as customer-PII data and should not be shared on a public forum.

    if you do not have a support plan, send mail to AzCommunity@microsoft.com including your subscription ID and a link to this thread (for context) and we will gladly connect you to the Azure support channel.

    Have a nice weekend.

    Cheers.

    Saturday, November 9, 2019 11:36 PM
    Moderator