Custom logs for Linux Arc sever not coming to portal but are there on machine

Priya Goswami 5

I have configured Custom logs with Azure arc linux server via dcr association but the logs are not coming in portal. I checked the path in linux arc machine, the logs are visible there but not coming to the portal. Can you please tell what is the issue?
Also the heartbeat of agent is coming. log

arc

User's image

AnuragSingh-MSFT 20,431 Reputation points

2024-02-21T10:17:03.15+00:00
Priya Goswami, there are 3-4 primary reasons why the logs might not be appearing in the Log Analytics workspace:

The file encoding should be ASCII or UTF-8. UTF-16 formats are not supported.

The table name specified as the source in DCR is incorrect - please verify that the correct table name is available.

Once you have created DCR in the Azure portal, it takes a while for the new configuration to be downloaded to the machine. Therefore, allow it some time to download the new configuration and check if you are still not seeing any logs in the LA workspace.

The most common reason is that - there are no new logs entries being created in the log file. Check if new lines are being added to the file after the DCR was created.

For more details, see

Prerequisites

Troubleshoot

Hope this helps. Please let us know if you have any questions
Priya Goswami 5 Reputation points

2024-02-21T10:38:43.5633333+00:00

Thanks for the response Anurag. I am referring to your 2nd point regarding table. I have created app_CL table only and in DCR the value is same. Are you referring to something else?

I also have 1 question, as the machine is Linux Arc, shall i refer https://learn.microsoft.com/en-us/azure/azure-monitor/agents/troubleshooter-ama-linux?tabs=redhat%2CGenerateLogs article for troubleshooting if i need to collect the logs.
AnuragSingh-MSFT 20,431 Reputation points

2024-02-22T08:52:05.7466667+00:00
Priya Goswami, thank you for the reply.

I configured a custom log collection using the same path as you have mentioned, and I can see the logs in the LA workspace.

To answer your questions:

Yes, I was talking about the custom table created - "app_CL" to ensure that there was no difference in the table created and the table to which logs are getting sent.

Yes, the link mentioned by you applies to all kind of Azure Monitor Agent (whether on Azure VM or Azure Arc VM) - How to use the Linux operating system (OS) Azure Monitor Agent Troubleshooter

I would suggest reviewing the following log file to see if there are errors related to reading the log file - /var/opt/microsoft/azuremonitoragent/log/fluentbit.log

Furthermore, the following link has detailed information of logs you should refer to when troubleshooting issues with Azure Monitor agent.

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm

In this case, except for point 1 and 2 under "Basic troubleshooting steps" all other points apply to AMA agent on VM and Arc enabled server. (point 1 and 2 are specifically related to Azure VM to ensure that extension is installed).

Also refer to this link Troubleshooting issues on Arc-enabled server

Hope this helps.
AnuragSingh-MSFT 20,431 Reputation points

2024-02-29T14:08:55.5166667+00:00

Priya Goswami, Following-up to check if you had a chance to review the answer provided.

If the answer did not help, please add more context/follow-up question for it, and we will help you out.
Priya Goswami 5 Reputation points

2024-02-29T14:50:47.91+00:00

Thanks for the follow up Anurag. I checked below 2 paths but cannot check any error. The only thing I am suspicious about is, I cannot see any file related to customlog under configchunk. I have run the trobleshooter also and reviewing the files. Can you mention any specific file or folder that I should check in logs? Although i am reviewing but if are know so my troubleshooting can get easier :D

[root@vmu15982 ~]# cat /var/opt/microsoft/azuremonitoragent/log/fluentbit.log [2023/12/20 15:59:05] [ info] [storage] version=1.0.3, initializing... [2023/12/20 15:59:05] [ info] [storage] in-memory [2023/12/20 15:59:05] [ info] [storage] normal synchronization mode, checksum disabled, max_chunks_up=128 [2023/12/20 15:59:05] [ info] [engine] started (pid=679253) [2024/01/04 11:13:05] [ info] [input] pausing tail.0 [2024/01/04 11:13:05] [ info] [input] pausing tail.1 [2024/01/04 11:13:05] [ info] [input] pausing tail.0 [2024/01/04 11:13:05] [ info] [input] pausing tail.1 [2024/01/04 11:13:05] [ warn] [engine] service will stop in 5 seconds [2024/01/04 11:13:05] [ warn] [engine] service will stop in 5 seconds [2024/01/04 11:13:09] [ info] [engine] service stopped [2024/01/04 11:13:09] [ info] [input] pausing tail.0 [2024/01/04 11:13:09] [ info] [input] pausing tail.1 [2024/01/04 11:14:48] [ info] [storage] version=1.0.3, initializing... [2024/01/04 11:14:48] [ info] [storage] in-memory [2024/01/04 11:14:48] [ info] [storage] normal synchronization mode, checksum disabled, max_chunks_up=128 [2024/01/04 11:14:48] [ info] [engine] started (pid=2620838) [2024/01/04 11:15:20] [ info] [input] pausing tail.0 [2024/01/04 11:15:20] [ info] [input] pausing tail.1 [2024/01/04 11:15:20] [ warn] [engine] service will stop in 5 seconds [2024/01/04 11:15:25] [ info] [storage] version=1.0.3, initializing... [2024/01/04 11:15:25] [ info] [storage] in-memory [2024/01/04 11:15:25] [ info] [storage] normal synchronization mode, checksum disabled, max_chunks_up=128 [2024/01/04 11:15:25] [ info] [engine] started (pid=2622592) [2024/01/30 11:19:18] [ info] [input] pausing tail.0 [2024/01/30 11:19:18] [ info] [input] pausing tail.0 [2024/01/30 11:19:18] [ info] [input] pausing tail.1 [2024/01/30 11:19:18] [ warn] [input] cannot disable event for tail.0 [2024/01/30 11:19:18] [ warn] [engine] service will stop in 5 seconds [2024/01/30 11:19:18] [ warn] [input] cannot disable event for tail.0 [2024/01/30 11:19:18] [ warn] [engine] service will stop in 5 seconds [2024/01/30 11:19:18] [ warn] [input] cannot disable event for tail.0 [2024/01/30 11:19:18] [ info] [input] pausing tail.1 [2024/01/30 11:19:18] [ warn] [input] cannot disable event for tail.1 [2024/01/30 11:19:18] [ warn] [input] cannot disable event for tail.1 [2024/01/30 11:19:18] [ warn] [input] cannot disable event for tail.1 [2024/01/30 11:19:22] [ info] [engine] service stopped [2024/01/30 11:19:22] [ info] [input] pausing tail.0 [2024/01/30 11:19:22] [ info] [input] pausing tail.1 [2024/01/30 11:19:59] [ info] [storage] version=1.0.3, initializing... [2024/01/30 11:19:59] [ info] [storage] in-memory [2024/01/30 11:19:59] [ info] [storage] normal synchronization mode, checksum disabled, max_chunks_up=128 [2024/01/30 11:19:59] [ info] [engine] started (pid=1851116) [2024/02/08 11:53:19] [ info] [input] pausing tail.0 [2024/02/08 11:53:19] [ info] [input] pausing tail.0 [2024/02/08 11:53:19] [ info] [input] pausing tail.1 [2024/02/08 11:53:19] [ info] [input] pausing tail.1 [2024/02/08 11:53:19] [ info] [input] pausing tail.2 [2024/02/08 11:53:19] [ info] [input] pausing tail.2 [2024/02/08 11:53:19] [ warn] [engine] service will stop in 5 seconds [2024/02/08 11:53:19] [ warn] [engine] service will stop in 5 seconds [2024/02/08 11:53:23] [ info] [engine] service stopped [2024/02/08 11:53:23] [ info] [input] pausing tail.0 [2024/02/08 11:53:23] [ info] [input] pausing tail.1 [2024/02/08 11:53:23] [ info] [input] pausing tail.2 [2024/02/08 11:53:52] [ info] [storage] version=1.0.3, initializing... [2024/02/08 11:53:52] [ info] [storage] in-memory [2024/02/08 11:53:52] [ info] [storage] normal synchronization mode, checksum disabled, max_chunks_up=128 [2024/02/08 11:53:52] [ info] [engine] started (pid=3022815) [root@vmu15982 ~]# cd /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/ [root@vmu15982 configchunks]# ll total 12 -rw-r-----. 1 syslog syslog 1698 Dec 20 15:58 10327896887619862717.json -rw-r-----. 1 syslog syslog 968 Dec 20 15:58 5099107724280214750.json -rw-r-----. 1 syslog syslog 1600 Feb 8 11:52 9243080408621233087.json [root@vmu15982 configchunks]# cd /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-{version}/ama_tst/ -bash: cd: /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-{version}/ama_tst/: No such file or directory [root@vmu15982 configchunks]# cd /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-1.28.11/ama amaCoreAgentBin/ amametrics.pid amasyslogconfig.pid ama_tst/ [root@vmu15982 configchunks]# cd /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-1.28.11/ama amaCoreAgentBin/ amametrics.pid amasyslogconfig.pid ama_tst/ [root@vmu15982 configchunks]# cd /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-1.28.11/ama_tst/ [root@vmu15982 ama_tst]# ls ama_troubleshooter.sh AMA-Troubleshooting-Tool.md ama_tst.tgz modules
Priya Goswami 5 Reputation points

2024-03-01T08:04:21.3233333+00:00

Good day Anurag, I have also observed that in td-agent.conf path, there is no txt path.
AnuragSingh-MSFT 20,431 Reputation points

2024-03-11T04:44:54.6933333+00:00

Priya Goswami, Following-up to check if you had a chance to review the answer provided.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Priya Goswami 5 Reputation points

2024-03-13T14:13:06.21+00:00

Thanks Anurag for following up. I will be checking this with my team shortly and update over here.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 answer

AnuragSingh-MSFT 20,431 Reputation points

2024-03-04T09:49:06.7766667+00:00
Priya Goswami, thank you for additional details.

I am not sure what you meant by txt path - but I checked and the td-agent.conf file in my "working" scenario is identical to what you have - with the entries under the first "[INPUT]" block. You seem to have created multiple DCRs to track 3 different file paths?

Regarding configchunks, you are right - there should be a json file with details of log file path which is being attempted to be collected and additional details related to monitoring endpoints etc. It seems that the local config is not in sync with the DCR in portal.

In this scenario, here are some of the basic steps that can be taken to try download the latest config based on the configuration set in Azure DCRs. Note, not all the steps are mandatory to be followed - please try them in sequence and see if it helps with the issue.

Ensure that you have the latest Heartbeats from this machine to the tracked LA workspace. If not, the agents are not communicating. The query below can be used to check if latest heartbeats are available from the machine.

Heartbeat | order by TimeGenerated desc

Check the "Extension" resource menu of this Arc server in Azure Portal. There should be an entry like below (to ensure that the extension is installed and healthy)

Ensure that you have created Data collection rules with the correct "data collection endpoints". Data Collection Endpoints facilitate the distribution of configuration from Azure to machine and also the log collection from machine to Azure. If they are not properly set, the issues may arise as we see in this case. For more details see point 3 & 4 in the following link - Create a data collection rule to collect data from a text or JSON file. Note, there are 2 locations where Data Collection Endpoints is specified when creating DCR. For details, see How to set up data collection endpoints based on your deployment

In case you have configured "Data collection endpoints" correctly with the DCR, and still don't see the logs getting collected, restart the AzureMonitorAgent to ensure that it downloads the latest config from the Azure platform. Please review the link that follows to get more details about the commands and meaning of configchunks - Linux AMA syslog agents: How to identify DCRs that are causing duplicate data collection

cd /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-<agent version> ./shim.sh -disable ./shim.sh -enable

After performing the step above, wait for a while and check the configchunks directory to see if json files corresponding to the DCRs were created. Also, the fluentbit.log file can be checked. Ideally, there should be entries like the following denoting the files being tracked for log collection in this log file after a restart.

In case, the steps above does not help, I would suggest deleting the DCR and recreating it again.

Finally, a reinstall of the Azure Monitor Agent, followed by recreating the DCR should help fix it.

In case, the steps mentioned above does not help, based on the nature of this issue, I would suggest reaching out to Azure Support to have this issue investigated by one of our support engineers, who can review the logs on the machine and platform logs if required to troubleshoot this further.

Please let me know if you have any questions. If the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.
Please sign in to rate this answer.
AnuragSingh-MSFT 20,431 Reputation points

2024-03-19T06:28:33.8433333+00:00

Priya Goswami, Following-up to check if you had a chance to follow the recommendation provided and if it helped.

If the answer did not help, please add more context/follow-up question for it. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.
Sign in to comment

Share via

Custom logs for Linux Arc sever not coming to portal but are there on machine

1 answer