Merge pull request #54297 from MicrosoftDocs/main

Auto Publish – main to live - 2026-04-17 23:00 UTC

Author: learn-build-service-prod[bot]

learn-pr/wwl-azure/design-application-architecture/includes/11-summary-resources.md

@@ -28,7 +28,7 @@ Copilot can assist you in designing Azure infrastructure solutions. Copilot can
 
 - Discover [Azure API Management](/azure/api-management/api-management-key-concepts).
 
-- Discover [Azure Cache for Redis](/azure/azure-cache-for-redis/cache-overview).
+- Discover [Azure Managed Redis](/azure/redis/overview).
 
 ## Learn more with self-paced training
 

learn-pr/wwl-sci/connect-common-event-format-logs-to-azure-sentinel/2-plan-for-common-event-format-cef-connector.yml

@@ -4,7 +4,7 @@ title: Plan for Common Event Format connector
 metadata:
   title: Plan for Common Event Format connector
   description: "Plan for Common Event Format connector"
-  ms.date: 02/11/2025
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/connect-common-event-format-logs-to-azure-sentinel/3-connect-your-external-solution-use-common-event-format-connector.yml

@@ -4,7 +4,7 @@ title: Connect your external solution using the Common Event Format connector
 metadata:
   title: Connect your external solution using the Common Event Format connector
   description: "Connect your external solution using the Common Event Format connector"
-  ms.date: 01/19/2023
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/connect-common-event-format-logs-to-azure-sentinel/5-summary-resources.yml

@@ -4,7 +4,7 @@ title: Summary and resources
 metadata:
   title: Summary and resources
   description: "Summary and resources"
-  ms.date: 01/19/2023
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/connect-common-event-format-logs-to-azure-sentinel/includes/2-plan-for-common-event-format-cef-connector.md

@@ -1,66 +1,46 @@
-The CEF Connector deploys a Syslog Forwarder server to support the communication between the appliance and Microsoft Sentinel. The server consists of a dedicated Linux machine with the Log Analytics agent for Linux installed. Many of the Microsoft Sentinel Data Connectors that are vendor-specific utilize CEF Connector.
+The **Common Event Format (CEF) via AMA** connector uses the **Azure Monitor Agent (AMA)** on a dedicated Linux log forwarder to support communication between your network appliances and Microsoft Sentinel. Many vendor-specific Microsoft Sentinel data connectors use CEF via AMA as their collection mechanism.
 
-The following diagram displays the setup for a Linux VM in Azure. The on-premises Syslog sources securely send events to an Azure Linux VM. The Linux VM with the Log Analytics agent installed then forwards the logs to the Microsoft Sentinel workspace.
+The following diagram illustrates the setup when you use a Linux VM in Azure as the forwarder. On-premises Syslog sources securely send events to the Azure Linux VM. AMA on the Linux VM then forwards the logs to your Microsoft Sentinel workspace.
 
-:::image type="content" source="../media/learn-path5-01.png" alt-text="Diagram of the Azure VM hosting Syslog connector architecture.":::
+:::image type="content" source="../media/learn-path5-01.png" alt-text="Diagram of an Azure VM used as a Syslog forwarder to Microsoft Sentinel.":::
 
-Alternatively, the following diagram displays the setup if you use a VM in another cloud or an on-premises machine. The on-premises Syslog sources securely send events to a Linux VM. The Linux VM with the Log Analytics agent installed then securely forwards the logs to the Microsoft Sentinel workspace.
+Alternatively, you can use a VM in another cloud or an on-premises machine as the forwarder. Syslog sources securely send events to the Linux VM with AMA installed, which then securely forwards the logs to your Microsoft Sentinel workspace.
 
-:::image type="content" source="../media/learn-path5-02.png" alt-text="Diagram of the on-premises Syslog connector architecture.":::
+:::image type="content" source="../media/learn-path5-02.png" alt-text="Diagram of an on-premises machine used as a Syslog forwarder to Microsoft Sentinel.":::
 
 ## Security considerations
 
-Make sure to configure the machine's security according to your organization's security policy. For example, you can configure your network to align with your corporate network security policy and change the daemon's ports and protocols to align with your requirements.
+Configure the machine's security according to your organization's security policy. For example, configure your network to align with your corporate network security policy and change the daemon's ports and protocols to align with your requirements.
 
-To use TLS communication between the Syslog source and the Syslog Forwarder, you'll need to configure the Syslog daemon (rsyslog or syslog-ng) to communicate in TLS.
+To use TLS communication between the Syslog source and the Syslog forwarder, configure the Syslog daemon (rsyslog or syslog-ng) to communicate in TLS.
 
 ## Prerequisites
 
-Make sure the Linux machine you use as a log forwarder is running one of the following operating systems:
+Make sure the Linux machine you use as a log forwarder is running one of the following 64-bit operating systems:
 
-- 64-bit
+- Amazon Linux 2 or 2023
+- Oracle Linux 8 or 9
+- Red Hat Enterprise Linux (RHEL) Server 8 or 9
+- Debian GNU/Linux 10, 11, or 12
+- Ubuntu Linux 20.04 LTS, 22.04 LTS, or 24.04 LTS
+- SUSE Linux Enterprise Server 15
 
-  - Amazon Linux 2017.09
+> [!NOTE]
+> AMA supports only 64-bit operating systems.
 
-  - Oracle Linux 7
+Supported Syslog daemon versions:
 
-  - Red Hat Enterprise Linux (RHEL) Server 7 and 8, including minor versions (not 6)
+- Syslog-ng: 2.1 - 3.22.1
+- Rsyslog: v8
 
-  - Debian GNU/Linux 8 and 9
+Supported Syslog RFCs:
 
-  - Ubuntu Linux 14.04 LTS, 16.04 LTS, and 18.04 LTS
+- Syslog RFC 3164
+- Syslog RFC 5424
 
-  - SUSE Linux Enterprise Server 12, 15
+Your machine must also meet these requirements:
 
-- 32-bit
-
-  - Oracle Linux 7
-
-  - Red Hat Enterprise Linux (RHEL) Server 7 and 8, including minor versions (not 6)
-
-  - Debian GNU/Linux 8 and 9
-
-  - Ubuntu Linux 14.04 LTS and 16.04 LTS
-
-- Daemon versions
-
-  - Syslog-ng: 2.1 - 3.22.1
-
-  - Rsyslog: v8
-
-- Syslog RFCs supported
-
-  - Syslog RFC 3164
-
-  - Syslog RFC 5424
-
-Make sure your machine also meets the following requirements:
-
-Permissions
+**Permissions**
 
 - You must have elevated permissions (sudo) on your machine.
 
-Software requirements
-
-- Make sure you have python 2.7 or 3 running on your machine.
-

learn-pr/wwl-sci/connect-common-event-format-logs-to-azure-sentinel/includes/3-connect-your-external-solution-use-common-event-format-connector.md

@@ -1,36 +1,37 @@
-You need to designate and configure a Linux machine to forward the logs from your security solution to your Microsoft Sentinel workspace. This machine can be physical or virtual in your on-premises environment, an Azure VM, or a VM in another cloud. Using the link provided, you'll run a script on the designated machine that performs the following tasks:
+You need to designate and configure a Linux machine to forward logs from your security solution to your Microsoft Sentinel workspace. This machine can be physical or virtual in your on-premises environment, an Azure VM, or a VM in another cloud.
 
-Installs the Log Analytics agent for Linux (also known as the OMS agent) and configures it for the following purposes:
+The **Common Event Format (CEF) via AMA** connector uses a **Data Collection Rule (DCR)** to configure the **Azure Monitor Agent (AMA)** on your Linux forwarder. AMA handles both agent installation and log forwarding — no manual script installation is required.
 
-- Listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226
+When configured, AMA on the Linux forwarder:
 
-- Sending the messages securely over TLS to your Microsoft Sentinel workspace, where they're parsed and enriched
+- Listens for CEF messages from the built-in Linux Syslog daemon on TCP port 514
+- Forwards CEF messages to your Microsoft Sentinel workspace, where they're parsed and enriched
 
-Configures the built-in Linux Syslog daemon (rsyslog.d/syslog-ng) for the following purposes:
+## Set up the CEF via AMA connector
 
-- Listening for Syslog messages from your security solutions on TCP port 514
+To configure the connector:
 
-- Forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226
+1. In the Microsoft Sentinel portal, select **Data connectors**.
 
-## Run the deployment script
+1. Search for and select **Common Event Format (CEF) via AMA**.
 
-To view the connector page:
+1. Select **Open connector page** on the details pane.
 
-1. Select Data connectors page.
+1. Under **Configuration**, select **+Create data collection rule**.
 
-1. Select Common Event Format (CEF).
+1. On the **Basic** tab, enter a name for the data collection rule, then select your subscription and resource group.
 
-1. select the Open connector page on the preview pane.
+1. On the **Resources** tab, select the Linux machine you designated as the log forwarder.
 
-1. Verify that you have the appropriate permissions as described under Prerequisites.
+1. On the **Collect** tab, confirm the CEF facility and log level settings.
 
-1. Copy the "sudo wget …"  command and run with elevated permissions on the dedicated Linux VM.
+1. Select **Review + create**, then select **Create**. AMA is automatically installed on the Linux forwarder if it isn't already present.
 
-:::image type="content" source="../media/common-event-format-connector.png" alt-text="Screenshot of the C E F Connector Page." lightbox="../media/common-event-format-connector.png":::
+1. Configure each network appliance to forward its syslog events to your Linux forwarder on UDP or TCP port 514.
 
-### Using the same machine to forward both plain Syslog and common event format messages
+:::image type="content" source="../media/common-event-format-connector.png" alt-text="Screenshot of the Common Event Format via AMA connector page in Microsoft Sentinel." lightbox="../media/common-event-format-connector.png":::
 
-If you plan to use this log forwarder machine to forward Syslog messages as CEF, then to avoid the duplication of events to the Syslog and CommonSecurityLog tables:
+## Use the same machine to forward both plain Syslog and CEF messages
 
-On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities used to send CEF messages.
+If you plan to use this log forwarder machine to forward both plain Syslog messages and CEF messages, edit the Syslog configuration file on each source machine that sends logs in CEF format. Remove the facilities used to send CEF messages to avoid duplicate events in the Syslog and CommonSecurityLog tables.
 

learn-pr/wwl-sci/connect-common-event-format-logs-to-azure-sentinel/includes/5-summary-resources.md

@@ -1,4 +1,4 @@
-You should have learned how to send Common Event Format (CEF) log data to the Microsoft Sentinel workspace using the provided data connector.
+You learned how to send Common Event Format (CEF) log data to the Microsoft Sentinel workspace using the provided data connector.
 
 You should now be able to:
 
@@ -10,6 +10,6 @@ You should now be able to:
 
 You can learn more by reviewing the following.
 
-[Become a Microsoft Sentinel Ninja](https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310?azure-portal=true)
+[Become a Microsoft Sentinel Ninja](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310?azure-portal=true)
 
 [Microsoft Tech Community Security Webinars](https://techcommunity.microsoft.com/t5/microsoft-security-and/security-community-webinars/ba-p/927888?azure-portal=true)

learn-pr/wwl-sci/connect-common-event-format-logs-to-azure-sentinel/index.yml

@@ -3,15 +3,16 @@ uid: learn.wwl.connect-common-event-format-cef-logs-to-azure-sentinel
 metadata:
   title: Connect Common Event Format logs to Microsoft Sentinel
   description: "Connect Common Event Format logs to Microsoft Sentinel"
-  ms.date: 02/11/2025
+  ms.date: 04/17/2026
   author: wwlpublish
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
+  ai-usage: ai-assisted
 title: Connect Common Event Format logs to Microsoft Sentinel
 summary: Most vendor-provided connectors utilize the CEF connector. Learn about the Common Event Format (CEF) connector's configuration options.
 abstract: |
-  Upon completion of this module, the learner will be able to:
+  Upon completion of this module, the learner is able to:
   - Explain the Common Event Format connector deployment options in Microsoft Sentinel
   - Run the deployment script for the Common Event Format connector
 prerequisites: |