Share via

Azure Monitor Log Ingestion API - Error when POSTing to Syslog table

Josh 0 Reputation points
2025-02-17T06:01:05+00:00

Hi, I'm trying to use the Log Ingestion API to POST data to the Syslog table in Log Analytics but I am unable to get it working.

The documentation suggests this should be possible:

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview#supported-tables

I've tried using this endpoint URI: https://<DCR_URL>.ingest.monitor.azure.com/dataCollectionRules/<DCR_ID>/streams/Microsoft-Syslog?api-version=2023-01-01

but I get this error:

{"code":"InvalidStream","message":"The stream Microsoft-Syslog was not configured in the data collection rule with immutable Id <DCR_ID>."}

Does anyone have any advice or guidance on how to achieve this?

Any help is appreciated!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,480 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vidya Viraktamath 550 Reputation points Microsoft Employee
    2025-02-17T08:00:16.38+00:00

    Hi Josh,

    Thank you for your query! Please follow below troubleshooting steps

    1. Check DCR Configuration: Double check the DCR configuration in the portal or your ARM template. The Microsoft-Syslog stream must be defined.
    2. Verify RFC5424 Formatting: Use a Syslog validator tool online to ensure your messages are correctly formatted.
    3. Examine API Response: Carefully inspect the API response for any error messages.
    4. Log Analytics Logs: Check the AzureActivity table in Log Analytics for any errors related to data ingestion.
  2. Madugula Jahnavi 0 Reputation points Microsoft Vendor
    2025-02-21T11:23:58.8666667+00:00

    Hello Josh,

    "The stream Microsoft-Syslog was not configured in the data collection rule with immutable Id" :

    The above error means that the syslog and stream declarations are not configured correctly under data sources and the other blocks.

    Make sure that the syslog table is declared under "StreamDeclarations" block under ARM template as detailed in the given

    [MS Doc (https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview#data-collection-rule-dcr)

    "streamDeclarations": { 
       "syslog": [ { 
         "stream": "Microsoft-Syslog", 
        "columnMappings": [ { 
         "columnName": "TimeGenerated",
        "columnType": "datetime" }]
}]
}

    Also verify if the syslog table is properly configured to the workspace destination which you are using.

    Refer MSDoc for sample code logs using different coding languages like PowerShell.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.