SC-200 Certification Practice Question #172

Question

You have an on-premises Linux server that runs a background process named App1 and has the Azure Connected Machine agent installed.

You have a Microsoft Sentinel workspace named WS1.

You need to configure a data collection rule (DCR) named DCR1 that will use the Syslog via AMA connector to collect messages related to App1. The solution must meet the following requirements:

•	Only collect messages that have a priority level of critical.
•	Minimize the volume of data collected.

Which facility and log level should you configure for DCR1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Accepted Answer

The facility is settled by the App1 = "background process" cue — background daemons log to the daemon facility, so **LOG_DAEMON** (Blasty 👍 7, Krayzr both agree). For the log level, AMA collects the selected severity *and all higher severities*. Syslog severity order is Debug < Info < Notice < Warning < Error < Critical < Alert < Emergency. To guarantee Critical is collected, the minimum level must be at or below Critical. LOG_EMERG collects only Emergency and would miss Critical entirely (eliminated). Among the remaining options, LOG_ERR (Error) is the highest/narrowest level that still includes Critical — it gathers Error, Critical, Alert, Emergency only — so it satisfies "collect critical" while minimizing volume better than LOG_WARN (adds Warning) or LOG_DEBUG (adds everything). Confidence is held at 80% because there is no published Suggested/Most-Voted answer and the community is split between LOG_ERR and LOG_EMERG, but MS Learn's "selected level and higher" rule makes LOG_ERR the only option satisfying both requirements.

More SC-200 practice questions