Forum Discussion

gaetansimo's avatar
gaetansimo
Icon for Making Connections rankMaking Connections
1 month ago

Regarding the execution interval of the Azure Functions template for Cato log integration

I'd like to confirm something about Azure Functions processing.

■Requirements
- To forward Cato SASE logs to an Azure Log Analytics workspace, I'm using the following Cato log integration template.

https://github.com/catonetworks/cato-sentinel-connect/tree/main

-The Azure Functions specs are as follows:

 OS: Linux

 Plan: App Service Plan

 Size: P1v3

 Type: Custom Handler

 Trigger: Timer trigger (30-second interval)

The following logs are targeted for integration:

 -CommonSecurityLog

  Log size: Approximately 2.5-5MB per 30 seconds (300-600MB per hour)

 -CatoAuditEngine_CL

  Log size: Less than 0.01MB per 30 seconds

■Question
I'm using a 30-second timer trigger, but the actual execution interval is 2 minutes. (The execution interval can be confirmed by counting the "Functions Execution Count" metric.)
Please confirm the following three points.

1. Is the change in execution interval due to a large log volume?

2. What should I do to set the execution interval to 30 seconds?
Would scaling up Azure Functions be effective?

3. Even if execution takes a long time, is the log integration being executed without any problems? Are there any logs being missed?

Note that in the test environment (log volume per 30 seconds is less than 0.01MB for both tables), execution is performed every 30 seconds.

1 Reply

  • michaelsaw's avatar
    michaelsaw
    Icon for Cato Professional Services rankCato Professional Services

    Hi gaetansimo, 

    This an interesting point.
    Would you consider using a 300-second timer trigger, so the there is sufficent time to process/execute this on Azure?

    Cheers