You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/agents/data-sources-syslog.md
+41-33Lines changed: 41 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,23 +1,22 @@
1
1
---
2
-
title: Collect Syslog data sources with Log Analytics agent in Azure Monitor
3
-
description: Syslog is an event logging protocol that is common to Linux. This article describes how to configure collection of Syslog messages in Log Analytics and details of the records they create.
2
+
title: Collect Syslog data sources with the Log Analytics agent in Azure Monitor
3
+
description: Syslog is an event logging protocol that's common to Linux. This article describes how to configure collection of Syslog messages in Log Analytics and details the records they create.
4
4
ms.topic: conceptual
5
5
ms.date: 04/06/2022
6
6
ms.reviewer: luki
7
7
8
8
---
9
9
10
-
# Collect Syslog data sources with Log Analytics agent
11
-
Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to Azure Monitor where a corresponding record is created.
10
+
# Collect Syslog data sources with the Log Analytics agent
Syslog is an event logging protocol that's common to Linux. Applications send messages that might be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the messages to Azure Monitor where a corresponding record is created.
> Azure Monitor supports collection of messages sent by rsyslog or syslog-ng, where rsyslog is the default daemon. The default syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) is not supported for syslog event collection. To collect syslog data from this version of these distributions, the [rsyslog daemon](http://rsyslog.com) should be installed and configured to replace sysklog.
17
+
> Azure Monitor supports collection of messages sent by rsyslog or syslog-ng, where rsyslog is the default daemon. The default Syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) isn't supported for Syslog event collection. To collect Syslog data from this version of these distributions, the [rsyslog daemon](http://rsyslog.com) should be installed and configured to replace sysklog.
21
20
22
21
The following facilities are supported with the Syslog collector:
23
22
@@ -36,29 +35,33 @@ The following facilities are supported with the Syslog collector:
36
35
* local0-local7
37
36
38
37
For any other facility, [configure a Custom Logs data source](data-sources-custom-logs.md) in Azure Monitor.
39
-
40
-
## Configuring Syslog
38
+
39
+
## Configure Syslog
40
+
41
41
The Log Analytics agent for Linux will only collect events with the facilities and severities that are specified in its configuration. You can configure Syslog through the Azure portal or by managing configuration files on your Linux agents.
42
42
43
43
### Configure Syslog in the Azure portal
44
+
44
45
Configure Syslog from the [Agent configuration menu](../agents/agent-data-sources.md#configuring-data-sources) for the Log Analytics workspace. This configuration is delivered to the configuration file on each Linux agent.
45
46
46
-
You can add a new facility by clicking**Add facility**. For each facility, only messages with the selected severities will be collected. Check the severities for the particular facility that you want to collect. You cannot provide any additional criteria to filter messages.
47
+
You can add a new facility by selecting**Add facility**. For each facility, only messages with the selected severities will be collected. Select the severities for the particular facility that you want to collect. You can't provide any other criteria to filter messages.
[](media/data-sources-syslog/configure.png#lightbox)
49
50
50
-
By default, all configuration changes are automatically pushed to all agents. If you want to configure Syslog manually on each Linux agent, then uncheck the box *Apply below configuration to my machines*.
51
+
By default, all configuration changes are automatically pushed to all agents. If you want to configure Syslog manually on each Linux agent, clear the **Apply below configuration to my machines** checkbox.
51
52
52
53
### Configure Syslog on Linux agent
53
-
When the [Log Analytics agent is installed on a Linux client](../vm/monitor-virtual-machine.md), it installs a default syslog configuration file that defines the facility and severity of the messages that are collected. You can modify this file to change the configuration. The configuration file is different depending on the Syslog daemon that the client has installed.
54
+
55
+
When the [Log Analytics agent is installed on a Linux client](../vm/monitor-virtual-machine.md), it installs a default Syslog configuration file that defines the facility and severity of the messages that are collected. You can modify this file to change the configuration. The configuration file is different depending on the Syslog daemon that the client has installed.
54
56
55
57
> [!NOTE]
56
-
> If you edit the syslog configuration, you must restart the syslog daemon for the changes to take effect.
58
+
> If you edit the Syslog configuration, you must restart the Syslog daemon for the changes to take effect.
57
59
>
58
60
>
59
61
60
62
#### rsyslog
61
-
The configuration file for rsyslog is located at **/etc/rsyslog.d/95-omsagent.conf**. Its default contents are shown below. This collects syslog messages sent from the local agent for all facilities with a level of warning or higher.
63
+
64
+
The configuration file for rsyslog is located at `/etc/rsyslog.d/95-omsagent.conf`. Its default contents are shown in the following example. This example collects Syslog messages sent from the local agent for all facilities with a level of warning or higher.
You can remove a facility by removing its section of the configuration file. You can limit the severities that are collected for a particular facility by modifying that facility's entry. For example, to limit the user facility to messages with a severity of error or higher you would modify that line of the configuration file to the following:
86
+
You can remove a facility by removing its section of the configuration file. You can limit the severities that are collected for a particular facility by modifying that facility's entry. For example, to limit the user facility to messages with a severity of error or higher, you would modify that line of the configuration file to the following example:
84
87
85
88
```config
86
89
user.error @127.0.0.1:25224
87
90
```
88
91
89
92
#### syslog-ng
90
-
The configuration file for syslog-ng is location at **/etc/syslog-ng/syslog-ng.conf**. Its default contents are shown below. This collects syslog messages sent from the local agent for all facilities and all severities.
93
+
94
+
The configuration file for syslog-ng is located at `/etc/syslog-ng/syslog-ng.conf`. Its default contents are shown in this example. This example collects Syslog messages sent from the local agent for all facilities and all severities.
91
95
92
96
```config
93
97
#
@@ -140,23 +144,24 @@ filter f_user_oms { level(alert,crit,debug,emerg,err,info,notice,warning) and fa
You can remove a facility by removing its section of the configuration file. You can limit the severities that are collected for a particular facility by removing them from its list. For example, to limit the user facility to just alert and critical messages, you would modify that section of the configuration file to the following:
147
+
You can remove a facility by removing its section of the configuration file. You can limit the severities that are collected for a particular facility by removing them from its list. For example, to limit the user facility to alert only critical messages, you would modify that section of the configuration file as shown in the following example:
144
148
145
149
```config
146
150
#OMS_facility = user
147
151
filter f_user_oms { level(alert,crit) and facility(user); };
The Log Analytics agent listens for Syslog messages on the local client on port 25224. When the agent is installed, a default syslog configuration is applied and found in the following location:
155
+
### Collect data from other Syslog ports
156
+
157
+
The Log Analytics agent listens for Syslog messages on the local client on port 25224. When the agent is installed, a default Syslog configuration is applied and found in the following location:
153
158
154
159
* Rsyslog: `/etc/rsyslog.d/95-omsagent.conf`
155
160
* Syslog-ng: `/etc/syslog-ng/syslog-ng.conf`
156
161
157
-
You can change the port number by creating two configuration files: a FluentD config file and a rsyslog-or-syslog-ng file depending on the Syslog daemon you have installed.
162
+
You can change the port number by creating two configuration files: a FluentD config file and a rsyslog-or-syslog-ng file depending on the Syslog daemon you have installed.
158
163
159
-
* The FluentD config file should be a new file located in:`/etc/opt/microsoft/omsagent/conf/omsagent.d` and replace the value in the **port** entry with your custom port number.
164
+
* The FluentD config file should be a new file located in `/etc/opt/microsoft/omsagent/conf/omsagent.d` and replace the value in the `port` entry with your custom port number.
160
165
161
166
```xml
162
167
<source>
@@ -170,7 +175,7 @@ You can change the port number by creating two configuration files: a FluentD co
170
175
type filter_syslog
171
176
```
172
177
173
-
* For rsyslog, you should create a new configuration file located in: `/etc/rsyslog.d/` and replace the value %SYSLOG_PORT% with your custom port number.
178
+
* For rsyslog, you should create a new configuration file located in `/etc/rsyslog.d/` and replace the value `%SYSLOG_PORT%` with your custom port number.
174
179
175
180
> [!NOTE]
176
181
> If you modify this value in the configuration file `95-omsagent.conf`, it will be overwritten when the agent applies a default configuration.
@@ -184,10 +189,10 @@ You can change the port number by creating two configuration files: a FluentD co
184
189
auth.warning @127.0.0.1:%SYSLOG_PORT%
185
190
```
186
191
187
-
* The syslog-ng config should be modified by copying the example configuration shown below and adding the custom modified settings to the end of the syslog-ng.conf configuration file located in `/etc/syslog-ng/`. Do **not** use the default label **%WORKSPACE_ID%_oms** or **%WORKSPACE_ID_OMS**, define a custom label to help distinguish your changes.
192
+
* The syslog-ng config should be modified by copying the example configuration shown next and adding the custom modified settings to the end of the `syslog-ng.conf` configuration file located in `/etc/syslog-ng/`. Do *not* use the default label `%WORKSPACE_ID%_oms` or `%WORKSPACE_ID_OMS`. Define a custom label to help distinguish your changes.
188
193
189
194
> [!NOTE]
190
-
> If you modify the default values in the configuration file, they will be overwritten when the agent applies a default configuration.
195
+
> If you modify the default values in the configuration file, they'll be overwritten when the agent applies a default configuration.
191
196
>
192
197
193
198
```config
@@ -196,10 +201,11 @@ You can change the port number by creating two configuration files: a FluentD co
0 commit comments