MicrosoftDocs
diff --git a/‎articles/sentinel/TOC.yml
Lines changed: 9 additions & 3 deletions b/‎articles/sentinel/TOC.yml
Lines changed: 9 additions & 3 deletions
diff --git a/‎articles/sentinel/api-dcr-reference.md
Lines changed: 155 additions & 0 deletions b/‎articles/sentinel/api-dcr-reference.md
Lines changed: 155 additions & 0 deletions
diff --git a/‎articles/sentinel/connect-cef-syslog-ama.md
Lines changed: 10 additions & 6 deletions b/‎articles/sentinel/connect-cef-syslog-ama.md
Lines changed: 10 additions & 6 deletions
@@ -860,10 +860,16 @@
         href: connect-log-forwarder.md
       - name: Syslog (raw) sources (legacy)
         href: connect-syslog.md
+    - name: Custom log sources (text files)
+      items:
+      - name: Collect logs from text files via AMA
+        href: connect-custom-logs-ama.md
+      - name: Custom logs - configure security device
+        href: unified-connector-custom-device.md
+      - name: Custom log sources (legacy)
+        href: connect-custom-logs.md
     - name: DNS via AMA
-      href: connect-dns-ama.md   
-    - name: Custom log sources
-      href: connect-custom-logs.md
+      href: connect-dns-ama.md
     - name: Logstash plugin with Data Collection Rules
       href: connect-logstash-data-connection-rules.md
     - name: Logstash plugin (legacy)
 
@@ -216,3 +216,158 @@ https://management.azure.com/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/
   }
 ```
 
+## Custom logs from text files
+
+The following examples are for DCRs using the AMA to collect custom logs from text files.
+
+### Custom text logs DCR
+
+These examples are of the API request for creating a DCR.
+
+#### Custom text logs DCR creation request body
+
+The following is an example of a DCR creation request for a custom log text file. Replace *`{PLACEHOLDER_VALUES}`* with actual values.
+
+The `outputStream` parameter is required only if the transform changes the schema of the stream.
+
+```json
+{
+    "type": "Microsoft.Insights/dataCollectionRules",
+    "name": "{DCR_NAME}",
+    "location": "{WORKSPACE_LOCATION}",
+    "apiVersion": "2022-06-01",
+    "properties": {
+        "streamDeclarations": {
+            "Custom-Text-{TABLE_NAME}": {
+                "columns": [
+                    {
+                        "name": "TimeGenerated",
+                        "type": "datetime"
+                    },
+                    {
+                        "name": "RawData",
+                        "type": "string"
+                    },
+                ]
+            }
+        },
+        "dataSources": {
+            "logFiles": [
+                {
+                    "streams": [ 
+                        "Custom-Text-{TABLE_NAME}" 
+                    ],
+                    "filePatterns": [ 
+                        "{LOCAL_PATH_FILE_1}","{LOCAL_PATH_FILE_2}" 
+                    ],
+                    "format": "text",
+                    "name": "Custom-Text-{TABLE_NAME}"
+                }
+            ],
+        },
+        "destinations": {
+            "logAnalytics": [
+                {
+                    "workspaceResourceId": "{WORKSPACE_RESOURCE_PATH}",
+                    "workspaceId": "{WORKSPACE_ID}",
+                    "name": "DataCollectionEvent"
+                }
+            ],
+        },
+        "dataFlows": [
+            {
+                "streams": [
+                    "Custom-Text-{TABLE_NAME}" 
+                ],
+                "destinations": [ 
+                    "DataCollectionEvent" 
+                ],
+                "transformKql": "source",
+                "outputStream": "Custom-{TABLE_NAME}"
+            }
+        ]
+    }
+}
+```
+
+#### Custom text logs DCR creation response
+
+```json
+{
+    "properties": {
+        "immutableId": "dcr-00112233445566778899aabbccddeeff",
+        "dataCollectionEndpointId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionEndpoints/Microsoft-Sentinel-aaaabbbbccccddddeeeefff",
+        "streamDeclarations": {
+            "Custom-Text-ApacheHTTPServer_CL": {
+                "columns": [
+                    {
+                        "name": "TimeGenerated",
+                        "type": "datetime"
+                    },
+                    {
+                        "name": "RawData",
+                        "type": "string"
+                    }
+                ]
+            }
+        },
+        "dataSources": {
+            "logFiles": [
+                {
+                    "streams": [
+                        "Custom-Text-ApacheHTTPServer_CL"
+                    ],
+                    "filePatterns": [
+                        "C:\\Server\\bin\\log\\Apache24\\logs\\*.log"
+                    ],
+                    "format": "text",
+                    "settings": {
+                        "text": {
+                            "recordStartTimestampFormat": "ISO 8601"
+                        }
+                    },
+                    "name": "Custom-Text-ApacheHTTPServer_CL"
+                }
+            ]
+        },
+        "destinations": {
+            "logAnalytics": [
+                {
+                    "workspaceResourceId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/contoso-rg-1/providers/Microsoft.OperationalInsights/workspaces/CyberSOC",
+                    "workspaceId": "cccccccc-3333-4444-5555-dddddddddddd",
+                    "name": "DataCollectionEvent"
+                }
+            ]
+        },
+        "dataFlows": [
+            {
+                "streams": [
+                    "Custom-Text-ApacheHTTPServer_CL"
+                ],
+                "destinations": [
+                    "DataCollectionEvent"
+                ],
+                "transformKql": "source",
+                "outputStream": "Custom-ApacheHTTPServer_CL"
+            }
+        ],
+        "provisioningState": "Succeeded"
+    },
+    "location": "centralus",
+    "tags": {
+        "createdBy": "Sentinel"
+    },
+    "id": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionRules/DCR-CustomLogs-01",
+    "name": "DCR-CustomLogs-01",
+    "type": "Microsoft.Insights/dataCollectionRules",
+    "etag": "\"00000000-1111-2222-3333-444444444444\"",
+    "systemData": {
+        "createdBy": "[email protected]",
+        "createdByType": "User",
+        "createdAt": "2024-08-12T09:29:15.1083961Z",
+        "lastModifiedBy": "[email protected]",
+        "lastModifiedByType": "User",
+        "lastModifiedAt": "2024-08-12T09:29:15.1083961Z"
+    }
+}
+```
@@ -1,6 +1,6 @@
 ---
-title: Ingest syslog CEF messages to Microsoft Sentinel - AMA
-description: Ingest syslog messages from linux machines, devices, and appliances to Microsoft Sentinel using data connectors based on the Azure Monitor Agent (AMA).
+title: Ingest syslog and CEF messages to Microsoft Sentinel - AMA
+description: Ingest syslog messages from linux machines and from network and security devices and appliances to Microsoft Sentinel, using data connectors based on the Azure Monitor Agent (AMA).
 author: yelevin
 ms.author: yelevin
 ms.topic: how-to
@@ -22,21 +22,25 @@ This article describes how to use the **Syslog via AMA** and **Common Event Form
 
 ## Prerequisites
 
-Before you begin, you must have the resources configured and the appropriate permissions described in this section. 
+Before you begin, you must have the resources configured and the appropriate permissions assigned, as described in this section. 
 
 ### Microsoft Sentinel prerequisites
 
 Install the appropriate Microsoft Sentinel solution and make sure you have the permissions to complete the steps in this article.
 
 - Install the appropriate solution from the **Content hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
+
 - Identify which data connector the Microsoft Sentinel solution requires &mdash; **Syslog via AMA** or **Common Event Format (CEF) via AMA** and whether you need to install the **Syslog** or **Common Event Format** solution. To fulfill this prerequisite, 
+
   - In the **Content hub**, select **Manage** on the installed solution and review the data connector listed. 
+
   - If either **Syslog via AMA** or **Common Event Format (CEF) via AMA** isn't installed with the solution, identify whether you need to install the **Syslog** or **Common Event Format** solution by finding your appliance or device from one of the following articles:
 
     - [CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-cef-device.md)
     - [Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-syslog-device.md)
 
     Then install either the **Syslog** or **Common Event Format** solution from the content hub to get the related AMA data connector.
+
 - Have an Azure account with the following Azure role-based access control (Azure RBAC) roles:
 
   | Built-in role | Scope | Reason |
@@ -77,17 +81,17 @@ If your devices are sending syslog and CEF logs over TLS because, for example, y
 The setup process for the Syslog via AMA  or Common Event Format (CEF) via AMA data connectors includes the following steps:
 
 1. Install the Azure Monitor Agent and create a Data Collection Rule (DCR) by using either of the following methods:
-    - [Azure or Defender portal](?tabs=syslog%2Cportal#create-data-collection-rule)
+    - [Azure or Defender portal](?tabs=syslog%2Cportal#create-data-collection-rule-dcr)
     - [Azure Monitor Logs Ingestion API](?tabs=syslog%2Capi#install-the-azure-monitor-agent)
 1. If you're collecting logs from other machines using a log forwarder, [**run the "installation" script**](#run-the-installation-script) on the log forwarder to configure the syslog daemon to listen for messages from other machines, and to open the necessary local ports.
 
 Select the appropriate tab for instructions.
 
 # [Azure or Defender portal](#tab/portal)
 
-### Create data collection rule
+### Create data collection rule (DCR)
 
-To get started, open either the **Syslog via AMA** or **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel and create a data connector rule.
+To get started, open either the **Syslog via AMA** or **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel and create a data collection rule (DCR).
 
 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Data connectors**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configuration** > **Data connectors**.