Note: There may be known issues pertaining to this Solution, please refer to them before installing.

The Common Event Format (CEF) solution for Microsoft Sentinel allows you to ingest logs from any product and/or appliance that can send logs in the Common Event Format (CEF) over Syslog messages.

Installing this solution will deploy two data connectors,

1. Common Event Format via AMA - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector
2. Common Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent.

NOTE: After the solution is installed, Microsoft recommends configuring and leveraging the Common Event Format via AMA connector for log ingestion. Legacy connector uses the Log Analytics agent, which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Agent-based log collection (CEF over Syslog)

Data Connectors: 2

Learn more about Microsoft Sentinel | Learn more about Solutions