Collect data from Linux-based sources using syslog

  • 6 minutes

Configuring the Azure Monitor Agent for Syslog on Linux machines:

For an Azure Linux VM:

To install the agent on an Azure Linux virtual machine:

  1. In the Azure portal, enter Monitor in the Search resources, services, and docs search bar.

  2. In Monitor, scroll down the left menu to the Settings section and select Data Collection Rules.

  3. In Monitor | Data Collection Rules, select + Create.

    Screenshot of the Monitor Data Collection Rule create page.

  4. On the Data Collection Rule Basics tab, enter a Rule name and specify a Subscription, Resource Group, Region, and Platform Type. For this exercise, select Linux for Platform Type.

  5. Select Next:Resources

  6. On the Data Collection Rule Resources tab, select + Add resources.

  7. In the Select a scope page, expand the Scope column for Subscription and Resource group types until your target VM is displayed.

  8. Select the target VM and select Apply. You should see your Linux VM displayed as a Resource.

    Screenshot of the Monitor Data Collection Rule Add resources and Sect a scope pages

  9. Select Next: Collect and deliver.

  10. On the Data Collection Rule Collect and deliver tab, select + Add data source.

  11. In the Add data source page, select Linux Syslog from the Data source type* drop-down menu, and select Add data source. You should see your Linux Syslog Data source and a Destinations(s) of Azure Monitor Logsdisplayed.

  12. Select Review + create, and Create after Validation passed is displayed.

    Note

    This process initiates the Azure Monitor Linux Agent extension install.

  13. After the process completes, locate Virtual Machines in the Azure portal and select the Linux VM you configured as a Data Collection Rule resource.

  14. On the Virtual machine Overview, scroll down the left menu to the Settings section and select Extensions + applications.

  15. Under the Extensions tab, you should see the AzureMonitorLinuxAgent displayed.

    Screenshot of the Azure Monitor Linux Agent on an Azure VM.

    Note

    If Microsoft Defender for Cloud Auto-provisioning is enabled, the Azure Monitor Linux Agent will be installed by default as an extension using Azure Policy assignment.

For any other Linux machine:

To install the agent on non-Azure Linux physical or virtual machines:

  1. In the Azure portal, enter Arc in the Search resources, services, and docs search bar.

  2. In Azure Arc, scroll down the left menu to the Infrastructure section and select Servers.

  3. On the Servers page, select + Add.

  4. On the Add servers with Azure Arc page, locate the Add a single server box and select Generate script.

  5. On the Add servers with Azure Arc page, Prerequisites tab, review the requirements and select Next.

  6. On the Add servers with Azure Arc page, Resource details tab, select your Subscription and Resource group from the drop-down menus under Project details.

    Tip

    Select an Azure region before creating a new Resource groups.

  7. On the Add servers with Azure Arc page, Resource details tab, select your Region and then select Linux from the Operating system drop-down menu under Server details.

  8. On the Add servers with Azure Arc page, Resource details tab, select the appropriate Connectivity method from the radio buttons under Connectivity method, and then select Next.

    Screenshot of Add a server Azure Arc page.

  9. On the Add servers with Azure Arc page, Tags tab, enter Physical locations tags as needed and select Next.

  10. On the Add servers with Azure Arc page, Download and run script tab, either download or copy the script to the clipboard.

    Tip

    If you're using a Microsoft Windows system with Microsoft Azure, it is easy to copy and paste the script into notepad, then ssh into your Linux machine with PowerShell to run the script in a Bash console.

  11. Open a Bash console as an administrative (root) user on your non-Azure Linux machine and run the script.

    This script does the following:

    • Download an installation script from the Microsoft Download Center.
    • Configure the package manager to use and trust the packages.microsoft.com repository.
    • Download the agent from Microsoft's Linux Software Repository.
    • Install the agent on the server.
    • Create the Azure Arc-enabled server resource and associate it with the agent.

  12. When the script successfully completes you should see a message stating Latest version of azcmagent is installed.

  13. On the Add servers with Azure Arc page, Download and run script tab, select Close.

  14. The next step is to connect your non-Azure Linux server azcmagent to Azure Arc.

  15. Copy and edit the following Bash script to include the required parameters in double quotes:

     azcmagent connect --resource-group "resourceGroupName" --tenant-id "tenantID" --location "regionName" --subscription-id "subscriptionID" --cloud "cloudName"
if [ $? = 0 ]; then echo "\033[33mTo view your onboarded server(s), navigate to https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2Fmachines\033[m"; fi

    Tip

    You can use the export (variables) entries from the agent install script you downloaded or copied to fill in the parameters required in the agent connect script.

  16. When the script editing is complete, open a Bash console as an administrative (root) user on your non-Azure Linux machine and run the script.

  17. The script tests connectivity to Azure endpoints and then requests you to sign in to https://microsoft.com/devicelogin and enter the supplied code to authenticate.

    Screenshot of the azcmagent connection script running.

  18. Open a Web browser and navigate to the address as directed, and paste or enter the code into the form and select Next to sign in.

  19. On the Pick an account page, select your administrator account and then select Next. Close browser tabs when complete.

  20. In your Bash console you should see an INFO Connected machine to Azure message.

  21. Verify your non-Azure machine is connected to Azure Arc in the Azure portal by entering Arc in the Search resources, services, and docs search bar.

  22. In Azure Arc, scroll down the left menu to the Infrastructure section and select Servers. You should see your machine with a Status of Connected.

    Screenshot of azure Arc connected Linux server

    Note

    Select Refresh if the Linux machine is not displayed.

  23. The next task is to add your newly connected Azure Arc Linux server to your previously created Data Collection Rule for Syslog.

  24. In the Azure portal, enter DCR in the Search resources, services, and docs search bar.

  25. Select your Syslog Data Collection Rule

  26. In your Data Collection Rule, scroll down the left menu to the Configuration section and select Resources.

  27. In Resources select + Add

  28. In the Select a scope page, expand the Scope column until your Server - Azure Arc Resource type newly connected Linux machine is displayed.

  29. Select the Linux Azure Arc machine and select Apply

  30. The Linux Azure Arc VM is now included as one of the Data Collection Rule Resources.

    Screenshot of Azure Arc Linux resource in Data Collection Rule