Merge pull request #303490 from EdB-MSFT/syslog-timestamps

added utc note

Author: prmerger-automator[bot]

articles/sentinel/cef-syslog-ama-overview.md

@@ -1,11 +1,11 @@
 ---
 title:  Syslog and CEF AMA connectors - Microsoft Sentinel
 description: Learn how Microsoft Sentinel collects Syslog and Common Event Format (CEF) messages with the Azure Monitor Agent.
-author: yelevin
-ms.author: yelevin
+author: EdB-MSFT
+ms.author: edbaynash
 ms.topic: concept-article
 ms.custom: linux-related-content
-ms.date: 07/12/2024
+ms.date: 07/29/2025
 
 
 #Customer intent: As a security engineer, I want to collect Syslog and CEF messages from various devices, either directly or using a centralized log forwarder, so that I can efficiently monitor and respond to security threats.
@@ -74,6 +74,15 @@ The data ingestion process using the Azure Monitor Agent uses the following comp
 
 ---
 
+> [!NOTE]
+> When ingesting syslog data using a log forwarder and Azure Monitor Agent (AMA), inconsistencies may arise between the `TimeGenerated` and `EventTime` fields. 
+> + TimeGenerated reflects the UTC time when the syslog message was processed by the machine hosting the log forwarder or collector.  
+> + EventTime is extracted from the syslog header, which doesn't include time zone information and is converted to UTC using the local time zone offset of the forwarder/collector.  
+>
+>This can lead to differences between the two fields when the forwarder/collector and the device generating the log are in different time zones.
+
+
+
 ## Setup process to collect log messages
 
 From the **Content hub** in Microsoft Sentinel, install the appropriate solution for **Syslog** or **Common Event Format**. This step installs the respective data connectors Syslog via AMA or Common Event Format (CEF) via AMA data connector. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).