Update CEF duplication filter for AMA 1.41 parsing change#519
Open
JamesAde11 wants to merge 3 commits into
Open
Update CEF duplication filter for AMA 1.41 parsing change#519JamesAde11 wants to merge 3 commits into
JamesAde11 wants to merge 3 commits into
Conversation
AMA 1.41 moved CEF-specific message cleanup from the generic syslog parser to a CEF-only pipeline stage. As a result, the ProcessName field no longer reliably contains "CEF" for messages from vendors that don't comply with RFC 3164/RFC 5424 syslog header format. This update adds a SyslogMessage check to the recommended KQL duplication avoidance transform and includes a note explaining why both checks are now required. Aligns with AMA 1.41 release notes update published by the Azure Monitor Agent team.
Contributor
|
@JamesAde11 : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
Contributor
|
Learn Build status updates of commit 58ab115:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| sentinel/cef-syslog-ama-overview.md | Details |
sentinel/cef-syslog-ama-overview.md
- Line 120, Column 1: [Warning: code-block-indented - See documentation]
Indented code blocks aren't allowed. Use a Markdown code block surrounded by triple backticks (```).
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
Contributor
|
Learn Build status updates of commit c544b4c: ✅ Validation status: passed
For more details, please refer to the build report. |
EdB-MSFT
approved these changes
Jun 7, 2026
Contributor
|
Learn Build status updates of commit 9539784: ✅ Validation status: passed
For more details, please refer to the build report. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AMA 1.41 moved CEF-specific message cleanup from the generic syslog parser to a CEF-only pipeline stage. As a result, the ProcessName field no longer reliably contains "CEF" for messages from vendors that don't comply with RFC 3164/RFC 5424 syslog header format. This update adds a SyslogMessage check to the recommended KQL duplication avoidance transform and includes a note explaining why both checks are now required. Aligns with AMA 1.41 release notes update published by the Azure Monitor Agent team.