To ingest custom logs from on-premises servers into Microsoft Sentinel , the logs must first be collected through the L og Analytics workspace that Sentinel is built on. According to Microsoft Sentinel and Azure Monitor documentation, the required steps are:

Install the Log Analytics agent (MMA/OMS agent) on each on-premises Windows Server that will send logs.

This agent securely forwards Windows event logs, performance data, and custom log files to the Log Analytics workspace in Azure Monitor.

Although Azure Monitor Agent (AMA) is the newer option, custom log collection is still supported primarily via the Log Analytics a gent until full parity is achieved.

The Microsoft Dependency agent is used only for service map and dependency data, not for log ingestion.

The Azure Connected Machine agent (for Azure Arc) can onboard machines for management but does not directly handle c ustom log configuration for Sentinel.

Configure custom log ingestion by defining custom log collection rules in the Log Analytics workspace settings .

In Sentinel, navigate to the underlying workspace → Advanced settings → Data → Custom Logs to define the log format, file path, and collection parameters.

The custom log configuration is always managed at the workspace level , since Sentinel queries data from the connected workspace’s tables.

Other options, like the Data connectors page or Logs blade of Sentin el, are used for connecting integrated services or for querying data, not for defining custom ingestion sources.

Therefore, based on official Microsoft Defender XDR and Sentinel integration guidance, the correct configuration steps are:

✅ On the servers, i nstall the: Log Analytics agent

✅ Configure custom log settings by using the: Log Analytics workspace settings of Microsoft Sentinel