Installing the Syslog AMA and creating a Data Collection Rule (DCR)

To install the Syslog AMA connector and create a Data Collection Rule (DCR):

In the Azure portal, go to the Microsoft Sentinel service.
Select the Microsoft Sentinel workspace from the list.

In case the workspace is not listed, you should create it.
Select Data connectors.
In the Search box, type Syslog.  From the results, select the Syslog via AMA connector.
If the Syslog via AMA connector is not displayed in the search results, do the following:
1. Select Go to Content hub under the More data connectors.
2. On the displayed Content hub page, search for Syslog.
3. Choose the Syslog from the search results and select Install.
4. Once the installation process is done, go back to the Data connector page and check the connector availability.
5. On the Details pane, select Open connector page.
On the details pane, select the Open connector page option.
In the Configuration area, select +Create data collection rule.
Go to the Basic tab and specify the following details:
- Type a DCR name in the Rule name field.
- Select your subscription
- Select the resource group where you want to locate your DCR
Select Next: Resources>.
Next, you should define resources (VMs). In the Resources tab, select the machines you want to install—the AMA in this case, your log forwarder machine.

If your log forwarder doesn't appear in the list, it might not have installed the Azure Connected Machine agent.
Select the log forwarder VM on which you want to install the AMA. When you hover over the VM, a check box will appear next to its name.
Review your changes and select Next: Collect>.
Go to the Collect tab and select the minimum log level for each facility.
When you select a log level, Microsoft Sentinel collects logs for the selected level and other levels with higher severity.
Select Next: Review + create.
In the Review + create tab, select Create.

The Azure Monitor Agent will be installed on your selected machines when creating your DCR using the connector.