We're experiencing an issue where we lose data between our syslog server data and the results in Sentinels LogAnalytics.
Our configuration writes syslog messages to a file /var/syslog_data. This file is read by the rsyslog imfile module to forward its content to the OMS agents syslog port (25224), to identify this data we gave it the syslog tag "sys_data". We found this issue by comparing the counted lines in the /var/syslog_data file and the data received in the Sentinel workspace per day for the last week. The results show a mismatch of ±80% with peeks up to 90% of dataloss, see attached image for comparison results.
To see if the configuration works properly we restarted the omsagent and added a new line tot the /var/syslog_data file with a copy of a line including some recognisable content. This was shown in Sentinel within 5 minutes. Based on this test we conclude that the configuration is set properly.
rsyslog config:
module(load="imfile")
ruleset(name="syslog_data"){
action(type="omfwd" Target="127.0.0.1" Port="25224" Protocol="udp")
stop
}
input(type="imfile" File="/var/log/syslog_data.log" Tag="sys_data" Severity="warn" Facility="local5" PersistStateInterval="1" ruleset="syslog_data" reopenOnTruncate="on")
omsagent.d/syslog.conf config:
<source>
type syslog
port 25224
bind 127.0.0.1
protocol_type udp
tag oms.syslog
</source>
<filter oms.syslog.**>
type filter_syslog
</filter>
