Install Log Analytics agent on Linux computers

This article provides details on installing the Log Analytics agent on Linux computers hosted in other clouds or on-premises.

Important

The legacy Log Analytics agent will be deprecated by August 2024. Migrate to Azure Monitor agent before August 2024 to continue ingesting data.

The installation methods described in this article are:

  • Install the agent for Linux using a wrapper-script hosted on GitHub. This is the recommended method to install and upgrade the agent when the computer has connectivity with the Internet, directly or through a proxy server.
  • Manually download and install the agent. This is required when the Linux computer doesn't have access to the Internet and will be communicating with Azure Monitor or Azure Automation through the Log Analytics gateway.

See Installation options for more efficient options you can use for Azure virtual machines.

Requirements

Supported operating systems

See Overview of Azure Monitor agents for a list of Linux distributions supported by the Log Analytics agent.

Note

OpenSSL 1.1.0 is only supported on x86_x64 platforms (64-bit) and OpenSSL earlier than 1.x is not supported on any platform.

Note

The Log Analytics Linux Agent does not run in containers. To monitor containers, use the Container Monitoring solution for Docker hosts or Container insights for Kubernetes.

Starting with versions released after August 2018, we're making the following changes to our support model:

  • Only the server versions are supported, not client.
  • Focus support on any of the Azure Linux Endorsed distros. There may be some delay between a new distro/version being Azure Linux Endorsed and it being supported for the Log Analytics Linux agent.
  • All minor releases are supported for each major version listed.
  • Versions that have passed their manufacturer's end-of-support date aren't supported.
  • Only support VM images; containers, even those derived from official distro publishers' images, aren't supported.
  • New versions of AMI aren't supported.
  • Only versions that run OpenSSL 1.x by default are supported.

Note

If you are using a distro or version that is not currently supported and doesn't align to our support model, we recommend that you fork this repo, acknowledging that Microsoft support will not provide assistance with forked agent versions.

Python requirement

Starting from Agent version 1.13.27, the Linux Agent will support both Python 2 and 3. We always recommend using the latest agent.

If you're using an older version of the agent, you must have the Virtual Machine use Python 2 by default. If your virtual machine is using a distro that doesn't include Python 2 by default, then you must install it. The following sample commands will install Python 2 on different distros.

  • Red Hat, CentOS, Oracle: yum install -y python2
  • Ubuntu, Debian: apt-get install -y python2
  • SUSE: zypper install -y python2

Again, only if you're using an older version of the agent, the python2 executable must be aliased to python. Following is one method that you can use to set this alias:

  1. Run the following command to remove any existing aliases.

    sudo update-alternatives --remove-all python
    
  2. Run the following command to create the alias.

    sudo update-alternatives --install /usr/bin/python python /usr/bin/python2 1
    

Supported Linux hardening

The OMS Agent has limited customization and hardening support for Linux.

The following are currently supported:

  • SELinux (Marketplace images for CentOS and RHEL with their default settings)
  • FIPS (Marketplace images for CentOS and RHEL 6/7 with their default settings)

The following aren't supported:

  • CIS
  • SELinux (custom hardening like MLS)

CIS, FIPS and SELinux hardening support is planned for Azure Monitoring Agent. Further hardening and customization methods aren't supported nor planned for OMS Agent. For instance, OS images like GitHub Enterprise Server which include customizations such as limitations to user account privileges aren't supported.

Agent prerequisites

The following table highlights the packages required for supported Linux distros that the agent will be installed on.

Required package Description Minimum version
Glibc GNU C Library 2.5-12
Openssl OpenSSL Libraries 1.0.x or 1.1.x
Curl cURL web client 7.15.5
Python 2.7 or 3.6+
Python-ctypes
PAM Pluggable Authentication Modules

Note

Either rsyslog or syslog-ng are required to collect syslog messages. The default syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) is not supported for syslog event collection. To collect syslog data from this version of these distributions, the rsyslog daemon should be installed and configured to replace sysklog.

Network requirements

See Log Analytics agent overview for the network requirements for the Linux agent.

Workspace ID and key

Regardless of the installation method used, you'll require the workspace ID and key for the Log Analytics workspace that the agent will connect to. Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section.

Workspace details

Agent install package

The Log Analytics agent for Linux is composed of multiple packages. The release file contains the following packages, which are available by running the shell bundle with the --extract parameter:

Package Version Description
omsagent 1.14.19 The Log Analytics Agent for Linux
omsconfig 1.1.1 Configuration agent for the Log Analytics agent
omi 1.6.9 Open Management Infrastructure (OMI) -- a lightweight CIM Server. Note that OMI requires root access to run a cron job necessary for the functioning of the service
scx 1.6.9 OMI CIM Providers for operating system performance metrics
apache-cimprov 1.0.1 Apache HTTP Server performance monitoring provider for OMI. Only installed if Apache HTTP Server is detected.
mysql-cimprov 1.0.1 MySQL Server performance monitoring provider for OMI. Only installed if MySQL/MariaDB server is detected.
docker-cimprov 1.0.0 Docker provider for OMI. Only installed if Docker is detected.

Agent installation details

Important

The legacy Log Analytics agent will be deprecated by August 2024. Migrate to Azure Monitor agent before August 2024 to continue ingesting data.

Installing the Log Analytics agent for Linux packages also applies the system-wide configuration changes below. Uninstalling the omsagent package removes these artifacts.

  • A non-privileged user named: omsagent is created. The daemon runs under this credential.
  • A sudoers include file is created in /etc/sudoers.d/omsagent. This authorizes omsagent to restart the syslog and omsagent daemons. If sudo include directives aren't supported in the installed version of sudo, these entries will be written to /etc/sudoers.
  • The syslog configuration is modified to forward a subset of events to the agent. For more information, see Configure Syslog data collection.

On a monitored Linux computer, the agent is listed as omsagent. omsconfig is the Log Analytics agent for Linux configuration agent that looks for new portal side configuration every 5 minutes. The new and updated configuration is applied to the agent configuration files located at /etc/opt/microsoft/omsagent/conf/omsagent.conf.

Install the agent

Important

The legacy Log Analytics agent will be deprecated by August 2024. Migrate to Azure Monitor agent before August 2024 to continue ingesting data.

The following steps configure setup of the agent for Log Analytics in Azure and Azure Government cloud using the wrapper script for Linux computers that can communicate directly or through a proxy server to download the agent hosted on GitHub and install the agent.

If your Linux computer needs to communicate through a proxy server to Log Analytics, this configuration can be specified on the command line by including -p [protocol://][user:password@]proxyhost[:port]. The protocol property accepts http or https, and the proxyhost property accepts a fully qualified domain name or IP address of the proxy server.

For example: https://proxy01.contoso.com:30443

If authentication is required in either case, you need to specify the username and password. For example: https://user01:password@proxy01.contoso.com:30443

  1. To configure the Linux computer to connect to a Log Analytics workspace, run the following command providing the workspace ID and primary key. The following command downloads the agent, validates its checksum, and installs it.

    wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <YOUR WORKSPACE ID> -s <YOUR WORKSPACE PRIMARY KEY>
    

    The following command includes the -p proxy parameter and example syntax when authentication is required by your proxy server:

     wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -p [protocol://]<proxy user>:<proxy password>@<proxyhost>[:port] -w <YOUR WORKSPACE ID> -s <YOUR WORKSPACE PRIMARY KEY>
    
  2. To configure the Linux computer to connect to Log Analytics workspace in Azure Government cloud, run the following command providing the workspace ID and primary key copied earlier. The following command downloads the agent, validates its checksum, and installs it.

    wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <YOUR WORKSPACE ID> -s <YOUR WORKSPACE PRIMARY KEY> -d opinsights.azure.us
    

    The following command includes the -p proxy parameter and example syntax when authentication is required by your proxy server:

     wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -p [protocol://]<proxy user>:<proxy password>@<proxyhost>[:port] -w <YOUR WORKSPACE ID> -s <YOUR WORKSPACE PRIMARY KEY> -d opinsights.azure.us
    
  3. Restart the agent by running the following command:

    sudo /opt/microsoft/omsagent/bin/service_control restart [<workspace id>]
    

Upgrade from a previous release

Upgrading from a previous version, starting with version 1.0.0-47, is supported in each release. Perform the installation with the --upgrade parameter to upgrade all components of the agent to the latest version.

Note

There will be a warning message during the upgrade "docker provider package installation skipped" since --skip-docker-provider-install flag is set. If you are installing over an existing omsagent install and wish to remove the docker provider, you should first purge the existing installation and then install using the --skip-docker-provider-install flag.

Cache information

Data from the Log Analytics agent for Linux is cached on the local machine at %STATE_DIR_WS%/out_oms_common.buffer* before it's sent to Azure Monitor. Custom log data is buffered in %STATE_DIR_WS%/out_oms_blob.buffer*. The path may be different for some solutions and data types.

The agent attempts to upload every 20 seconds. If it fails, it waits an exponentially increasing length of time until it succeeds: 30 seconds before the second attempt, 60 seconds before the third, 120 seconds, and so on, up to a maximum of 16 minutes between retries until it successfully connects again. The agent retries up to 6 times for a given chunk of data before discarding and moving to the next one. This continues until the agent can successfully upload again. This means that data may be buffered up to approximately 30 minutes before being discarded.

The default cache size is 10 MB but can be modified in the omsagent.conf file.

Next steps