Azure Monitor Agent Connector Failure Detection with KQL

Detecting Azure Monitor Agent (AMA) connector failures using a Kusto Query Language (KQL) script focused on Syslog data enables rapid identification of connection problems. This approach monitors the last three days of logs to ensure the health of AMA connectors. Detecting failures early means you can quickly troubleshoot and prevent loss of monitoring data and missed security alerts.

Risk

Failures in Azure Monitor Agent connectors indicate interruptions in data ingestion. When connectors fail, no logs flow into monitoring systems, causing potential gaps in alerting and incident detection. This leads to a blind spot in security operations and could result in unnoticed threats or system failures.

Query

Microsoft Sentinel

Syslog
| where TimeGenerated > ago(3d)
| extend sent_by_ama = column_ifexists('CollectorHostName','')
| where isnotempty(sent_by_ama)
| where isnotempty(HostName)
| summarize LastLogReceived = max(TimeGenerated) by HostName, HostIP
| project IsConnected = LastLogReceived > ago(3d), HostName, HostIP
| where IsConnected == "false"

This KQL script filters Syslog records from the last three days to identify Azure Monitor Agent connectors that have stopped sending logs. It checks the latest log received timestamp grouped by host and IP, then flags hosts with no logs in the timeframe, indicating connection failures.