![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 46%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
2,511 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 86%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
We understand that you are seeking clarification on whether the Azure Monitor Agent is the same as the Microsoft Sentinel Agent.
Yes, the Azure Monitor Agent (AMA) and the so-called Microsoft Sentinel Agent refer to the same agent.
1.Azure Monitor Agent is the official name of the agent responsible for collecting telemetry data (like logs and metrics) from your infrastructure and forwarding it to Azure services, including Microsoft Sentinel.
2.The term "Microsoft Sentinel Agent" is not an official product name. It is often used informally to describe the role that the Azure Monitor Agent plays when it is configured specifically to send data to Microsoft Sentinel. So, they are the same agent, but the term Microsoft Sentinel Agent simply highlights its use case for Microsoft Sentinel.
Explanation of the Diagrams:
First Diagram explains
This diagram shows how 'Syslog data' from an on-premises 'Linux device' is sent to Microsoft Sentinel:
1.The CEF source on the Linux device generates logs. 2.These logs are sent via TCP/UDP port 514 to a Syslog daemon running on the same device.
3.The Syslog daemon (Eg: rsyslog or syslog-ng ) collects these logs and forwards them to the Azure Monitor Agent via a Unix domain socket.
4.The AMA then sends this data securely over HTTPS (TCP 443) to the Microsoft Sentinel workspace in Azure.
Second Diagram explains
This diagram shows an architecture where multiple Linux devices send their logs to a centralized Linux log forwarder:
1.Several Linux devices with CEF sources send their logs via TCP/UDP port 514 to a Syslog daemon running on a Linux log forwarder.
2.The Syslog daemon collects logs from multiple sources and forwards them to the Azure Monitor Agent on the same log forwarder. 3.The AMA on the log forwarder aggregates the logs and sends them securely over HTTPS (TCP 443) to the Microsoft Sentinel workspace.
To clarify the description provided, the following details should be noted:
1.Microsoft Sentinel Agent on a Dedicated Azure VM:
This refers to deploying the Azure Monitor Agent on an Azure Virtual Machine that is dedicated to collecting and forwarding Syslog data from on-premises systems to Microsoft Sentinel.
2.Microsoft Sentinel Agent on a Dedicated On-Premises System: This refers to deploying the Azure Monitor Agent on a dedicated on-premises server that collects and forwards Syslog data from other on-premises devices to Microsoft Sentinel.
Both descriptions are about how and where the Azure Monitor Agent (referred to here as the Microsoft Sentinel Agent) is deployed to collect and send Syslog data to Microsoft Sentinel, whether on an Azure VM, a VM in another cloud / an on-premises machine.
Please don't hesitate to reach out to us if you have any further queries. I hope the information provided has been helpful to you! If so, please accept the answer by clicking the Accept Answer / Upvote on the post. We value your feedback, and it will help to assist others who might have a similar query. Thank you for your contribution in enhancing Microsoft Q&A!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)