Logs through AMA agents

Soumya Banerjee 126 Reputation points
2022-03-21T11:33:48.097+00:00

I have setup AMA agents with DCR , we are receiving logs .

For windows through AMA receiving through "Windows Security Events via AMA" connector and it is showing DCR's created.

My question is , why is it sending linux logs through Syslog connector. Its not sending over 514 right , its all through API and through 443 I believe .

Why is Syslog connector showing as receiving logs when all through AMA and which is not on 514 ofcourse .
Not sure what am I missing out on here.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,864 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,001 questions
{count} votes

Accepted answer
  1. AnuragSingh-MSFT 20,596 Reputation points
    2022-03-24T06:49:12.547+00:00

    Hi @Soumya Banerjee ,

    Welcome to Microsoft Q&A! Thanks for posting the question.

    Based on my understanding, you are seeing connection to port 514 (which is used for forwarding syslog to syslog server) from your Linux VM running in Azure/Arc enabled VM. I did a test by installing "Azure Monitor Agent (AzureMonitorLinuxAgent extension) on an Azure VM through DCR and collected a network trace using tcpdump on this machine. I did not see any communication for port 514 on my machine and confirm that the syslog messages are getting collected in LogAnalytics Workspace.

    It looks like syslog forwarding is enabled on you machine through some other mechanism because of which you are seeing connection on port 514. Can you please check and confirm that?

    Also, in case the suggestion above does not help, can you please share details on - how are you seeing connection on port 514? Please check the IP as well and see if it belongs to any centralized Log/Event Message collector (or syslog server). For your reference, this link contains the IP used by Azure Monitor.

    Please let me know if you have any questions.

    ---
    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.


0 additional answers

Sort by: Most helpful