Share via

Data received via AMA Connector is removing semicolons in SyslogMessage field for Syslog table

Dhivakaran 0 Reputation points
2025-05-06T17:09:40.4533333+00:00

When onboarding Cisco ASA and Cisco FTD logs into Azure Sentinel using the Azure Monitor Agent (AMA), We've encountered an issue where Sentinel appears to be modifying the syslog messages before they are stored in the Syslog table. Specifically, we've observed that semicolon (;) characters within the log entries are being either replaced with commas (,) or completely removed. This issue not only occurs with Cisco ASA or Cisco FTD logs, it is with all the sources which uses Syslog table.

For example, These are the raw logs that were sent from the source

Jan 9 11:12:29 dc1-main-ftd-a : %FTD-5-199017: sshd[217049]: pam_tally(sshd:auth): pam_get_uid; no such user
Jan 9 11:12:29 dc1-main-ftd-a : %FTD-5-199017: sshd[217049]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 11:12:27 dc1-main-ftd-a : %FTD-5-199017: sshd[217003]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 11:12:27 dc1-main-ftd-a : %FTD-5-199017: sshd[217003]: pam_tally(sshd:auth): pam_get_uid; no such user

Here is the Same logs queried from syslog table. The SyslogMessage column has omitted the semicolons in this case.User's image

Is this an issue with the AMA connector? We saw a similar issue and it was using OMS Agent for linux - https://github.com/microsoft/OMS-Agent-for-Linux/issues/993

They recommend to use the new AMA connector, but this issue is not fixed in AMA connector as well.

Can any one let us know if we can get the semicolons in the syslogmessage. If it is a issue with the current architecture, does microsoft have any plans to fix this anytime soon?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,590 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 20,106 Reputation points Moderator
    2025-05-07T21:54:45.3466667+00:00

    Hello Dhivakaran,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that your data that's received via AMA Connector is removing semicolons in SyslogMessage field for Syslog table.

    Most of all, it is a known issue with the Azure Monitor Agent (AMA) where semicolons in syslog messages are being removed or replaced with commas. This problem has been observed with both the older OMS Agent and the newer AMA connector - https://github.com/microsoft/OMS-Agent-for-Linux/issues/993

    The AMA connector might be removing semicolons from syslog messages due to its parsing mechanism, which adheres to certain RFC standards (RFC3164 and RFC5424). Additionally, specific settings or configurations within the AMA could be contributing to this behavior.

    To address this issue, you should first verify the configuration files for AMA, especially those related to syslog ingestion, to ensure no settings are causing the removal of semicolons. Next, make sure you are using the latest version of AMA, as updates might include fixes for this problem. You could also implement custom parsing rules within Azure Sentinel using KQL (Kusto Query Language) to correctly handle semicolons after ingestion. - You can see a similar answer on this platform here. If the issue persists, contacting Microsoft support for assistance via Azure portal or Priority Customer Support.

    Currently, there is no specific information on whether Microsoft plans to fix this issue in upcoming updates. It would be best to monitor official announcements or updates from Microsoft regarding AMA and syslog ingestion.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.