Share via

Log Buffer on AMA Server when Sentinel is Down

JC 20 Reputation points
2026-04-15T20:01:19.78+00:00

We don’t plan to store any logs on the syslog server as we are planning to set it as bridge for log forwarding.

 

Noticed that it can only holds 1GB. Is this correct or is this really 10GB as per this thread -

Azure Data Explorer
Azure Data Explorer

An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.


Answer accepted by question author
  1. Siva shunmugam Nadessin 8,815 Reputation points Microsoft External Staff Moderator
    2026-04-15T21:41:08.15+00:00

    Hello Janel Cabile

    The 10‑azuremonitoragent‑omfwd.conf file controls the rsyslog forwarding queue, not the Azure Monitor Agent’s own internal spool. While rsyslog can be configured to buffer more data on disk, AMA itself maintains a separate, internal offline buffer (under /var/lib/azuremonitoragent) whose size is not configurable.

    Values such as “10 GB” referenced in rsyslog configs do not represent a supported or guaranteed AMA retention limit.

     References:

      Syslog & CEF ingestion using AMA https://learn.microsoft.com/azure/sentinel/connect-cef-syslog-ama

      AMA Linux troubleshooting (rsyslog focus) Troubleshoot syslog issues with Azure Monitor Agent on Linux - Azure Monitor | Microsoft Learn

      CEF & Syslog AMA troubleshooting Troubleshoot CEF and Syslog via AMA connectors in Microsoft Sentinel | Microsoft Learn

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Q&A Assist
    2026-04-15T20:01:36.5+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The provided information describes how Syslog/CEF collection with the Azure Monitor Agent (AMA) works, but does not specify any numeric buffer size (1 GB, 10 GB, or otherwise) for log storage or in‑memory buffering on the AMA/syslog forwarder when Microsoft Sentinel or the Log Analytics workspace is unavailable. It only states that:

    • Syslog/CEF sources send logs to a Linux log forwarder (rsyslog/syslog‑ng) on port 514 (or another configured port).
    • The syslog daemon forwards logs to AMA (TCP 28330 or Unix domain socket, depending on AMA version).
    • AMA parses and sends logs to the Sentinel/Log Analytics workspace according to Data Collection Rules (DCRs).

    No limits or guarantees about how much data can be buffered or queued locally on the AMA server are documented in the supplied material. Therefore, the specific 1 GB vs. 10 GB value cannot be confirmed or corrected from this context.


    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.