OMSagent Not Running

Question

Hello,

I am trying to get syslog via legacy agent to forward our syslog logs to our sentinel instance.

I edit the 95-omsagent.conf to point at port 25226 > then restart the omsagent and rsyslog service and the logs show up in Sentinel. A few minutes later the 95-omsagent.conf file is overwritten and changed back to the 25224 port. I know that the /etc/opt/microsoft/omsagent/conf/omsagent.d/syslog.conf file governs the 95-omsagent.conf file, but every time I try to edit the syslog.conf file and then restart the services, the omsagent stops running.

default /etc/opt/microsoft/omsagent/conf/omsagent.d/syslog.conf:

<source>

type syslog

port 25224

bind 127.0.0.1

protocol_type udp

tag oms.syslog

</source>

<filter oms.syslog.**>

type filter_syslog

</filter>

What I want to change it to:

<source>

type syslog

port 25226

bind 127.0.0.1

protocol_type tcp

tag oms.syslog

</source>

<filter oms.syslog.**>

type filter_syslog

</filter>

What the omsagent looks like after edit the syslog.conf file and then restart the services:

sudo /opt/microsoft/omsagent/bin/omsadmin.sh -l

Primary Workspace: <Primary workspace ID> Status: Warning(OMSAgent Registered, Not Running)

Any thoughts or advice? I know they are retiring log analytics in August, but until I would like to get this working again.

Answer 1

@jreece22 The steps to modify the port are available in the doc - Collect data from other Syslog ports

You can change the port number by creating two configuration files: a FluentD config file and a rsyslog OR syslog-ng file depending on the Syslog daemon you have installed. As mentioned in this article - "If you modify this value in the configuration file 95-omsagent.conf, it will be overwritten when the agent applies a default configuration.". Therefore, the steps to update the port require creating 2 additional config files as highlighted in this article.

Hope this helps. Please let us know if you have any questions.