Syslog through AMA (CEF) Connector

Bl()e 20 Reputation points
2024-06-11T10:30:54.9766667+00:00

Hi,

Follwing up on my last question: https://learn.microsoft.com/en-us/answers/questions/1690671/syslog-through-ama-connector-not-showing-in-the-co

I have now installed Arc, and the machine is showing up on Azure Arc.
The AMA is installed and is correctly sending heartbeats to Sentinel.

I have onboarded a couple of network devices to forward syslog towards the Azure Arc enabled server.
Verified with tcpdump that the devices is sending syslog to UDP 514.
Verified with tcpdump that rsyslog is sending the syslog to AMA localhost TCP 28330

But logs does still not show up in LA/Sentinel.

After some investigation, I discovered some warning logs in /var/opt/microsoft/azuremonitoragent/logmdsd.warn:

2024-06-04T11:22:53.3910500Z: [/__w/1/s/external/WindowsAgent/src/shared/mcsmanager/lib/src/Configuration.cpp:410,ParseDataSources]Data source syslog is not implemented ErrorCode:-2146171897

2024-06-04T11:22:53.4435500Z: [/__w/1/s/external/WindowsAgent/src/shared/mcsmanager/lib/src/Configuration.cpp:410,ParseDataSources]Data source syslog is not implemented ErrorCode:-2146171897

2024-06-04T11:22:53.4435940Z: [/__w/1/s/external/WindowsAgent/src/shared/mcsmanager/lib/src/Configuration.cpp:410,ParseDataSources]Data source syslog is not implemented ErrorCode:-2146171897

2024-06-04T13:18:08.4699950Z: [/__w/1/s/external/WindowsAgent/src/shared/mcsmanager/lib/src/Configuration.cpp:410,ParseDataSources]Data source syslog is not implemented ErrorCode:-2146171897

And local error message in syslog is throwing:

azuremonitor-coreagent.service: Scheduled restart job, restart counter is at 3733.

Stopped Azure Monitor Agent CoreAgent daemon (on systemd).

Started Azure Monitor Agent CoreAgent daemon (on systemd).

amacoreagent[109235]: The required instruction sets are not supported by the current CPU.

this message throws at every restart counter.

I have tried to lookup this error message, but haven't found anything useful.
I don't either find specific technical requirements

The AMA is running on:
Operating System: Ubuntu 20.04.6 LTS

Kernel: Linux 5.4.0-182-generic
Architecture: x86-64

Viritualized, 4 cores and 8 G RAM.

Any advice?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,939 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,030 questions
{count} votes