Log Buffer on AMA Server when Sentinel is Down

Question

Log Buffer on AMA Server when Sentinel is Down

JC 20

We don’t plan to store any logs on the syslog server as we are planning to set it as bridge for log forwarding.

Noticed that it can only holds 1GB. Is this correct or is this really 10GB as per this thread -

JC 20 Reputation points

2026-04-15T20:03:05.9166667+00:00

https://learn.microsoft.com/en-us/answers/questions/1413940/can-the-log-buffer-size-be-modified-in-log-forward
Siva shunmugam Nadessin 8,815 Reputation points Microsoft External Staff Moderator

2026-04-15T20:55:38.8433333+00:00
Hello Janel Cabile,

Thank you for reaching out to the Microsoft Q&A forum.

When investigated it looks like you’re referring to the “offline” buffer that the Azure Monitor Agent (AMA) uses on your Linux syslog-forwarder when Sentinel can’t ingest data. Here’s what we know from the public guidance and community threads:

AMA itself doesn’t expose a knob to directly change the on-disk log queue size.

By default, AMA will spool data to the local VM’s disk (in a folder under /var/lib/azuremonitoragent/ or similar) and this queue is observed by many customers to top out around ~1 GB.

There are some community reports of seeing up to ~10 GB, but those usually end up being the size of the underlying VM OS disk or an artifact of how the syslog engine’s own queue (rsyslog or syslog-ng) is configured, not a built-in “10 GB limit” in AMA.

If you truly need a bigger buffer, your best approach is to increase the VM’s disk size or configure your syslog daemon’s queue parameters (for example, SystemMaxUse/QueueDirectory in rsyslog) so that it buffers more before handing logs off to AMA.

What you can try next:

• Check which syslog engine you’re using (rsyslog vs. syslog-ng) and inspect its own queue settings.

• Verify the actual disk usage under the AMA data folder (e.g. du -sh /var/lib/azuremonitoragent/*).

• If you bump the VM’s OS disk from, say, 30 GB to 100 GB, you’ll proportionally get more “offline” buffering headroom.

Follow-up questions to narrow this down:

Which Linux distro & version is your forwarder VM running?

Are you using rsyslog or syslog-ng (or something else) to capture logs?

How did you measure “1 GB” vs. “10 GB”? (e.g. did you inspect a folder size, check a syslog param, watch a metric?)

What AMA agent version are you on?

Can you confirm the path where you’re seeing this buffer filling up?

Reference docs:

Ingest syslog & CEF messages to Microsoft Sentinel with AMA: https://learn.microsoft.com/azure/sentinel/connect-cef-syslog-ama

Syslog and CEF via AMA overview: https://learn.microsoft.com/azure/sentinel/cef-syslog-ama-overview

Troubleshoot CEF & Syslog via AMA connectors: https://learn.microsoft.com/azure/sentinel/cef-syslog-ama-troubleshooting

Syslog troubleshooting guide for AMA (Linux): https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm-rsyslog

Hope that helps clarify why you’re seeing ~1 GB by default and points you at the places to tweak if you need more!
JC 20 Reputation points

2026-04-15T21:30:08.64+00:00
Hi,

See below response:

Which Linux distro & version is your forwarder VM running? RHEL

Are you using rsyslog or syslog-ng (or something else) to capture logs? rsyslog

How did you measure “1 GB” vs. “10 GB”? (e.g. did you inspect a folder size, check a syslog param, watch a metric?)

we are just referring to the config on this file 10-azuremonitoragent-omfwd.conf

Answer accepted by question author

1 additional answer

Your answer

JC 20 Reputation points

2026-04-15T20:03:05.9166667+00:00

https://learn.microsoft.com/en-us/answers/questions/1413940/can-the-log-buffer-size-be-modified-in-log-forward
JC 20 Reputation points

2026-04-15T21:30:08.64+00:00

Hi,

See below response:

Which Linux distro & version is your forwarder VM running? RHEL

Are you using rsyslog or syslog-ng (or something else) to capture logs? rsyslog

How did you measure “1 GB” vs. “10 GB”? (e.g. did you inspect a folder size, check a syslog param, watch a metric?)

we are just referring to the config on this file 10-azuremonitoragent-omfwd.conf

Answer 1

Siva shunmugam Nadessin 8,815 Microsoft External Staff Moderator

Hello Janel Cabile

The 10‑azuremonitoragent‑omfwd.conf file controls the rsyslog forwarding queue, not the Azure Monitor Agent’s own internal spool. While rsyslog can be configured to buffer more data on disk, AMA itself maintains a separate, internal offline buffer (under /var/lib/azuremonitoragent) whose size is not configurable.

Values such as “10 GB” referenced in rsyslog configs do not represent a supported or guaranteed AMA retention limit.

References:

 Syslog & CEF ingestion using AMA https://learn.microsoft.com/azure/sentinel/connect-cef-syslog-ama

 AMA Linux troubleshooting (rsyslog focus) Troubleshoot syslog issues with Azure Monitor Agent on Linux - Azure Monitor | Microsoft Learn

 CEF & Syslog AMA troubleshooting Troubleshoot CEF and Syslog via AMA connectors in Microsoft Sentinel | Microsoft Learn

JC 20 Reputation points

2026-04-15T21:51:55.5266667+00:00

I see, so the only thing that we can check is the config file in rsyslog such as SystemMaxUse/QueueDirectory
JC 20 Reputation points

2026-04-15T21:56:50.4833333+00:00

If 10‑azuremonitoragent‑omfwd.conf file controls the rsyslog forwarding queue, then will it have the same purpose as SystemMaxUse?
JC 20 Reputation points

2026-04-15T21:58:09.7433333+00:00

If 10‑azuremonitoragent‑omfwd.conf file controls the rsyslog forwarding queue, then will it have the same purpose as SystemMaxUse?
Siva shunmugam Nadessin 8,815 Reputation points Microsoft External Staff Moderator

2026-04-16T00:00:21.8633333+00:00

Hello Janel Cabile,

The 10‑azuremonitoragent‑omfwd.conf file and SystemMaxUse serve similar protective purposes but apply to different components. SystemMaxUse limits disk usage for systemd‑journald (log storage), whereas 10‑azuremonitoragent‑omfwd.conf controls rsyslog’s forwarding queue to Azure Monitor Agent. They do not govern the same buffer and changing one does not affect the other.

So,

SystemMaxUse controls how long logs are kept; 10‑azuremonitoragent‑omfwd.conf controls how logs are buffered before forwarding.
Siva shunmugam Nadessin 8,815 Reputation points Microsoft External Staff Moderator

2026-04-16T21:32:12.74+00:00

Hello Janel Cabile,

Kindly this can be beneficial to other community members.

Answer 2

The provided information describes how Syslog/CEF collection with the Azure Monitor Agent (AMA) works, but does not specify any numeric buffer size (1 GB, 10 GB, or otherwise) for log storage or in‑memory buffering on the AMA/syslog forwarder when Microsoft Sentinel or the Log Analytics workspace is unavailable. It only states that:

Syslog/CEF sources send logs to a Linux log forwarder (rsyslog/syslog‑ng) on port 514 (or another configured port).
The syslog daemon forwards logs to AMA (TCP 28330 or Unix domain socket, depending on AMA version).
AMA parses and sends logs to the Sentinel/Log Analytics workspace according to Data Collection Rules (DCRs).

No limits or guarantees about how much data can be buffered or queued locally on the AMA server are documented in the supplied material. Therefore, the specific 1 GB vs. 10 GB value cannot be confirmed or corrected from this context.

References:

Share via

Log Buffer on AMA Server when Sentinel is Down

1 additional answer

Your answer