Skip to content

Azure Monitoring Agent with Microsoft Sentinel

Published by Andreas Rogge on 15. November 2022

Last updated on 30. November 2022

Microsoft released a new agent named Azure Monitoring Agent (AMA) to forward logs to Log Analytic workspace and is about to send the old Microsoft Monitoring Agent (MMA) to yard. At time of writing not every feature is available. CEF collector, which is especially useful for Microsoft Sentinel, is still not GA for AMA. To check out the Microsoft article, see Azure Monitor Agent overview.

Also, if you want to use the newest Linux distributions, you have to use the AMA. Be aware that not every old distribution is supported by AMA. To get a complete list, check out the Microsoft article Azure Monitor overview – Operating system.

You also have to be aware that Azure Arc is needed, if you want to connect on-premises systems.

Table of content

Installation prerequisites for Azure Monitoring Agent

To install the Azure Monitoring Agent, you have to be sure to meet the prerequisites.

  • Use VM extension, if system is in Azure
  • Use Azure Arc, if system is on-premises and then use the VM extension
  • Windows 10,11 desktops and workstations use MSI installer
  • Windows 10,11 laptops use MSI installer

If the scope is defined, make sure that the necessary rights are given to onboard the agent. Microsoft gives the following descirption:

Needed permission for AMA installation

Furthermore, the networking has to be clear. You have to know, if you use a proxy and if yes, how it has to be attached.

Syslog-ng

In my example I use an Ubuntu 20.04 image and use syslog-ng as my syslog service. The following commands are used to update the system and install the service:

sudo -i
apt-get update
apt-get dist-upgrade
apt-get install syslog-ng
apt-get install python-is-python3

After the installation, I adjust the configuration, which can be found under “\etc\syslog-ng\syslog-ng.conf” to include a new source for TCP and UDP Port 514:

source s_src { udp( port(514)); tcp( port(514));};

After I changed or added the source, I comment out every log configuration, because I do not want the syslog to store the logs. Save and exit the file.

Now you have to restart the service:

systemctl restart syslog-ng

Azure Arc

If you want to install Azure Arc agent on Windows or Linux system, please see my article First steps with Azure Arc. There I go through the installation over the UI. After the installation of Azure Arc agent, we are able to install the AMA.

If your environment uses a proxy and you already installed Azure Arc agent with proxy, pay attention that you cannot install AMA over the graphical interface to use a proxy. Furthermore, use PowerShell and the module AZ.ConnectedMachine. Please see below the PowerShell commands and adjust them for your environment:

#Check if module is existing
Get-Module -ListAvailable "AZ.connectedmachine"

#if module is missing install it
Install-Module Az.ConnectedMachine -Force

#Connect with your Azure environment
Connect-AzAccount

#Fill variable with proxy information (adjust proxy IP and port)
$settingsString = @{"proxy" = @{mode = "application"; address = <URL:PORT>; auth = "false"}}

#Install agent and adjust information like subscription id, resource group, etc.
New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName "<RG-NAME>" -MachineName "<VM-NAME>" -Location "<LOCATION>" -Setting $settingsString -SubscriptionId "<SUBSCRIPTION-ID>"

Data collection rule

At this point you should have a syslog server in Azure Arc onboarded and installed the Azure Monitor Agent. Now you might be curious, why no logs arrive. This is because Microsoft has created a new configuration to define at granular basis, which events should be logged and where the logs have to be sent to. To create a new Data collection rule, navigate to your Log Analytic workspace and click on Agents management and Data Collection Rules:

Navigate to Data Collection Rules

Create a new rule:

Create new Data Collection Rule

Choose a name, Resource Group, Region and Platform and click Next:

Setting Basic informations

You can already choose, if you want to assign resources (VMs) and if you want to create an endpoint. Resources can also be assigned later. The endpoint can be used to define a fixed point where data is sent to:

Configuring resources

At the Collect and deliver tab you can choose Syslog information and the destination where data is sent to. At the data source you have to configure from which facility you want to receive which severity:

Choosing facility and severity
Choosing sentinel Log Analytics workspace

After this is completed, the information will be transferred to the Syslog machine and data should come in.

Conclusion

With data collection rules it is possible to exactly define, where to send which data. To check which data arrive, you should take a look at the Syslog Overview workbook and the Syslog table.

Syslog Workbook

In a later post I will explain, what logs you should definitely transfer and where you need to have a good reason to. This is because the more data you ingest, the more it will cost. Imagine you have to configure every firewall in your company. How much would it cost? If you only have a handful, you do not get in trouble so fast but if you have a big company, then more attention is paid to this topic.

If you find this post helpful, please share it or leave a comment! Let’s get connected on LinkedIn or Twitter to keep in touch and discuss!

Published inAzureSecuritySentinel

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *