A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?
Correct. Custom Logs allow ingestion of text files by monitoring specified file paths and parsing lines into custom logs.
Why this answer
Option C is correct because the Custom Logs feature in the Log Analytics workspace is specifically designed to ingest text-based log files from on-premises Linux servers via the Log Analytics agent. You must specify the exact file path (e.g., /var/log/myapp.log) and define a custom log type name (e.g., MyApp_CL) to parse the file and send the data to a custom table in the Log Analytics workspace. This is the only method that directly collects custom application log files without requiring syslog or API-based ingestion.
Exam trap
The trap here is that candidates confuse syslog data connectors with custom log file collection, assuming any Linux log file can be ingested via syslog, when in fact syslog only handles logs sent to the syslog daemon, not arbitrary application files.
How to eliminate wrong answers
Option A is wrong because Syslog data connectors collect system logs using the syslog protocol (RFC 5424) from /var/log/syslog or /var/log/messages, not arbitrary application log files; they filter by facility and severity, not by file path. Option B is wrong because performance counters collect metrics like CPU or memory usage, not log file content; they are used for performance monitoring, not log ingestion. Option D is wrong because a Log Analytics gateway is a proxy for forwarding data to Azure, not a collection endpoint; the HTTP Data Collector API requires custom code in the application to send JSON payloads, not file-based collection.