Reputation: 3
Does anyone have implemented auxiliary logs deployment in sentinel?
I have tried implementing Auxiliary logs, but unable to ingest logs to auxiliary table, how it works? I have tried log ingestion via text and json file but unable to receive logs to log analytic workspace. Followed these blogs.
These blogs I followed, 1.Using text file- https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-log-text?tabs=portal, 2. Using JSON- https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-log-json .
**https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table-auxiliary ** I have created a custom auxiliary table, set DCE and DCR but am still unable to ingest logs to auxiliary table.
Upvotes: 0
Views: 161
Answers (1)
Reputation: 8018
Usually, retrieving logs from workspace tables or any custom tables could take up to 10 to 20 minutes to load and data will be shown in the logs query.
I have also tried through Portal and the logs are not properly visible as expected. Then, I have used a PowerShell & bash commands workaround as clearly explained in this blog.
Firstly, I created a new data collection rule by calling the below PowerShell command Invoke-AzRestMethod as shown in the above blog.
Then after, to ingest the logs into the table, I have used below bash commands and obtained the access token first for ingestion.
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$clientid&client_secret=$clientsecret&scope=https://monitor.azure.com/.default" \
"https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token"
Once the token has been retrieved and saved it in a variable, I was passing a Json payload to the custom data collection rule endpoint URL as shown below. Refer the blog for more detailed information.
payload='[
{
"TimeGenerated": "xxx",
"Message": "xxxx",
"Info": "xxx"
}
]'
curl -vvvv -H "Authorization: Bearer $token" -H "Content-Type: application/json" --request POST -d "payload" $uri
By performing all the above operations, you can be able to view the logs information without any fail.
Upvotes: 0
Related Questions
- Custom Text Logs Collection and Visualisation using Azure Monitor Agent and Log Analytics Workspace
- Azure log ingestion TimeGenerated problem
- How to understand Microsoft Entra application required for log ingestion API
- Need help to understand if azure sentinel data connection solution is being built correctly
- Azure Monitor Agent Custom Logs not working
- Azure AKS in-container logs to Azure Logs/Azure Sentinel
- Send custom logs to Log Analytics Workspace via REST
- VMinsight enable Azure VM using PowerShell
- Creating Azure custom log failed with authentication error
- Collect text logs with Azure Monitor Agent