Log Analytics Agent for Linux fails to disable synchronization with "OMS_MetaConfigHelper.py --disable"

AzureJoel 1 Reputation point
2022-01-28T21:36:51.397+00:00

I have a Ubuntu 20.04.3 LTS server I configured to be a CEF log forwarder to Microsoft Sentinel for Cisco ASA(s). After installing the agent I tried to run the command to disable syslog from duplicating messages to Sentinel as noted in https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog

The command I ran is: sudo su omsagent -c 'python3 /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'

The output from the command is:
/opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py:4: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
/opt/microsoft/omsconfig/Scripts/nxDSCLog.py:53: SyntaxWarning: "is" with a literal. Did you mean "=="?
if message is None or len(message) is 0:
VERBOSE from OMS_MetaConfigHelper.py: Disable flag set to True, setting mof to disabled mode.
VERBOSE from OMS_MetaConfigHelper.py: Output from: /opt/microsoft/omsconfig/Scripts/SetDscLocalConfigurationManager.py -configurationmof /etc/opt/omi/conf/omsconfig/generated_meta_config.mof: b''
Traceback (most recent call last):
File "/opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py", line 268, in <module>
exitWithError(("Error on running command: " + commandToRun + " Error Message: " + stderr), exit_code)
TypeError: can only concatenate str (not "bytes") to str

After running the command I edit the /etc/rsyslog.d/95-omsagent.conf file to remove the syslog settings but the settings return to the default when DSC pushes the config again.

How can I disable the synchronization with Sentinel for the syslog settings?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,019 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 29,351 Reputation points Microsoft Employee
    2022-02-24T08:18:36.127+00:00

    @AzureJoel

    Below steps are for VM provisioned through Azure Portal.

    Step1 : In the Azure portal > select Linux virtual machine > oms extension > Please click on uninstall button

    Step 2: To check status of the oms service

    systemctl status walinuxagent

    To stop the service

    systemctl stop walinuxagent

    Step 3 : Please remove old versions of the core packages (if they still exist). Please uninstall those packages:

    To check the packages :
    dpkg -l | grep omsagent
    dpkg -l | grep omi
    dpkg -l | grep scx
    dpkg -l | grep auoms

    Step 4: To remove the packages :

    apt purge omsagent
    apt purge omi
    apt purge scx
    apt purge auoms

    Step 5 : Please check below locations and remove them if they exist:

    rm -rf /var/lib/waagent/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux-1.14.9/*
    rm -rf /var/opt/omi
    rm -rf /var/opt/microsoft/omsagent/LAD/
    rm -rf /etc/opt/microsoft/omsagent
    rm -rf /etc/opt/omi
    rm -rf /var/opt/microsoft/omsagent

    wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh

    chmod +x ./onboard_agent.sh

    sudo ./onboard_agent.sh --purge

    Before start the service please check if there is any process that still running :
    ps -ef | grep -i omi
    ps -ef | grep -i oms

    To stop the service << if the service is running incase then only execute it >>

    systemctl stop walinuxagent

    Let me know if you have any questions.

    1 person found this answer helpful.
    0 comments No comments