Merge pull request #237746 from NarineM/main

Add AMA syslog tutorial and refactor syslog troubleshooting articles

Author: v-dirichards

articles/azure-monitor/agents/agents-overview.md

@@ -73,7 +73,7 @@ Azure Monitor Agent uses [data collection rules](../essentials/data-collection-r
     |:---|:---|:---|
     | Performance | Azure Monitor Metrics (Public preview)<sup>1</sup> - Insights.virtualmachine namespace<br>Log Analytics workspace - [Perf](/azure/azure-monitor/reference/tables/perf) table | Numerical values measuring performance of different aspects of operating system and workloads |
     | Windows event logs (including sysmon events) | Log Analytics workspace - [Event](/azure/azure-monitor/reference/tables/Event) table | Information sent to the Windows event logging system |
-    | Syslog | Log Analytics workspace - [Syslog](/azure/azure-monitor/reference/tables/syslog)<sup>2</sup> table | Information sent to the Linux event logging system |
+    | Syslog | Log Analytics workspace - [Syslog](/azure/azure-monitor/reference/tables/syslog)<sup>2</sup> table | Information sent to the Linux event logging system. [Collect syslog with Azure Monitor Agent](data-collection-syslog.md) |
     |	Text logs and Windows IIS logs	|	Log Analytics workspace - custom table(s) created manually |	[Collect text logs with Azure Monitor Agent](data-collection-text-log.md)	|
 
 

articles/azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md

@@ -1,25 +1,37 @@
 ---
-title: Rsyslog data not uploaded due to Full Disk space issue on AMA Linux Agent
+title: Syslog troubleshooting on AMA Linux Agent
 description: Guidance for troubleshooting rsyslog issues on Linux virtual machines, scale sets with Azure Monitor agent and Data Collection Rules.
 ms.topic: conceptual
 ms.date: 5/3/2022
 ms.custom: references_region
 ms.reviewer: shseth
 ---
-
-# Rsyslog data not uploaded due to Full Disk space issue on AMA Linux Agent
-
-## Symptom
+# Syslog issue troubleshooting guide for Azure Monitor Linux Agent
+Here's how AMA collects syslog events:  
+
+- AMA installs an output configuration for the system syslog daemon during the installation process. The configuration file specifies the way events flow between the syslog daemon and AMA.
+- For `rsyslog` (most Linux distributions), the configuration file is `/etc/rsyslog.d/10-azuremonitoragent.conf`. For `syslog-ng`, the configuration file is `/etc/syslog-ng/conf.d/azuremonitoragent.conf`.
+- AMA listens to a UNIX domain socket to receive events from `rsyslog` / `syslog-ng`. The socket path for this communication is `/run/azuremonitoragent/default_syslog.socket`
+- The syslog daemon will use queues when AMA ingestion is delayed, or when AMA isn't reachable.
+- AMA ingests syslog events via the aforementioned socket and filters them based on facility / severity combination from DCR configuration in `/etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/`. Any `facility` / `severity` not present in the DCR will be dropped.
+- AMA attempts to parse events in accordance with **RFC3164** and **RFC5424**. Additionally, it knows how to parse the message formats listed [here](./azure-monitor-agent-overview.md#data-sources-and-destinations).
+- AMA identifies the destination endpoint for Syslog events from the DCR configuration and attempts to upload the events. 
+	> [!NOTE]
+	> AMA uses local persistency by default, all events received from `rsyslog` / `syslog-ng` are queued in `/var/opt/microsoft/azuremonitoragent/events` if they fail to be uploaded.
+	
+## Rsyslog data not uploaded due to full disk space issue on Azure Monitor Linux Agent
+
+### Symptom
 **Syslog data is not uploading**: When inspecting the error logs at `/var/opt/microsoft/azuremonitoragent/log/mdsd.err`, you'll see entries about *Error while inserting item to Local persistent store…No space left on device* similar to the following snippet:
 
 ```
 2021-11-23T18:15:10.9712760Z: Error while inserting item to Local persistent store syslog.error: IO error: No space left on device: While appending to file: /var/opt/microsoft/azuremonitoragent/events/syslog.error/000555.log: No space left on device
 ```
 
-## Cause
+### Cause
 Linux AMA buffers events to `/var/opt/microsoft/azuremonitoragent/events` prior to ingestion. On a default Linux AMA install, this directory will take ~650MB of disk space at idle. The size on disk will increase when under sustained logging load. It will get cleaned up about every 60 seconds and will reduce back to ~650 MB when the load returns to idle.
 
-### Confirming the issue of Full Disk
+### Confirming the issue of full disk
 The `df` command shows almost no space available on `/dev/sda1`, as shown below:
 
 ```bash
@@ -61,12 +73,12 @@ none      849   root  txt    REG    0,1       8632     0 16764 / (deleted)
 rsyslogd 1484 syslog   14w   REG    8,1 3601566564     0 35280 /var/log/syslog (deleted)
 ```
 
-### Issue: rsyslog default configuration logs all facilities to /var/log/syslog
+## Issue: rsyslog default configuration logs all facilities to /var/log/syslog
 On some popular distros (for example Ubuntu 18.04 LTS), rsyslog ships with a default configuration file (`/etc/rsyslog.d/50-default.conf`) which will log events from nearly all facilities to disk at `/var/log/syslog`.
 
 AMA doesn't rely on syslog events being logged to `/var/log/syslog`. Instead, it configures rsyslog to forward events over a socket directly to the azuremonitoragent service process (mdsd).
 
-#### Fix: Remove high-volume facilities from /etc/rsyslog.d/50-default.conf
+### Fix: Remove high-volume facilities from /etc/rsyslog.d/50-default.conf
 If you're sending a high log volume through rsyslog, consider modifying the default rsyslog config to avoid logging these events to this location `/var/log/syslog`. The events for this facility would still be forwarded to AMA because of the config in `/etc/rsyslog.d/10-azuremonitoragent.conf`.
 
 1. For example, to remove local4 events from being logged at `/var/log/syslog`, change this line in `/etc/rsyslog.d/50-default.conf` from this:
@@ -81,7 +93,7 @@ If you're sending a high log volume through rsyslog, consider modifying the defa
 	```
 2. `sudo systemctl restart rsyslog`
 
-### Issue: AMA Event Buffer is Filling Disk
+## Issue: Azure Monitor Linux Agent Event Buffer is Filling Disk
 If you observe the `/var/opt/microsoft/azuremonitor/events` directory growing unbounded (10 GB or higher) and not reducing in size, [file a ticket](#file-a-ticket) with **Summary** as 'AMA Event Buffer is filling disk' and **Problem type** as 'I need help configuring data collection from a VM'.
 
 [!INCLUDE [azure-monitor-agent-file-a-ticket](../../../includes/azure-monitor-agent/azure-monitor-agent-file-a-ticket.md)]

articles/azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm.md

@@ -50,20 +50,9 @@ Follow the steps below to troubleshoot the latest version of the Azure Monitor a
 	2. If not, [file a ticket](#file-a-ticket) with **Summary** as 'AMA unable to download DCR config' and **Problem type** as 'I need help with Azure Monitor Linux Agent'.  
 
 
-## Issues collecting Performance counters
 
 ## Issues collecting Syslog
-Here's how AMA collects syslog events:  
-
-- AMA installs an output configuration for the system syslog daemon during the installation process. The configuration file specifies the way events flow between the syslog daemon and AMA.
-- For `rsyslog` (most Linux distributions), the configuration file is `/etc/rsyslog.d/10-azuremonitoragent.conf`. For `syslog-ng`, the configuration file is `/etc/syslog-ng/conf.d/azuremonitoragent.conf`.
-- AMA listens to a UNIX domain socket to receive events from `rsyslog` / `syslog-ng`. The socket path for this communication is `/run/azuremonitoragent/default_syslog.socket`
-- The syslog daemon will use queues when AMA ingestion is delayed, or when AMA isn't reachable.
-- AMA ingests syslog events via the aforementioned socket and filters them based on facility / severity combination from DCR configuration in `/etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/`. Any `facility` / `severity` not present in the DCR will be dropped.
-- AMA attempts to parse events in accordance with **RFC3164** and **RFC5424**. Additionally, it knows how to parse the message formats listed [here](./azure-monitor-agent-overview.md#data-sources-and-destinations).
-- AMA identifies the destination endpoint for Syslog events from the DCR configuration and attempts to upload the events. 
-	> [!NOTE]
-	> AMA uses local persistency by default, all events received from `rsyslog` / `syslog-ng` are queued in `/var/opt/microsoft/azuremonitoragent/events` before being uploaded.  
+For more information on how to troubleshoot syslog issues with Azure Monitor Agent see [here](azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md).  
 
 - The quality of service (QoS) file `/var/opt/microsoft/azuremonitoragent/log/mdsd.qos` provides CSV-format 15-minute aggregations of the processed events and contains the information on the amount of the processed syslog events in the given timeframe. **This file is useful in tracking Syslog event ingestion drops**.  
 

articles/azure-monitor/agents/data-collection-syslog.md

@@ -0,0 +1,194 @@
+---
+title: Collect syslog with Azure Monitor Agent 
+description: Configure collection of syslog logs using a data collection rule on virtual machines with the Azure Monitor Agent.
+ms.topic: conceptual
+ms.date: 05/10/2023
+author: narinem
+ms.author: narinem
+ms.reviewer: glinuxagent
+---
+
+# Collect syslog with Azure Monitor Agent overview
+
+Syslog is an event logging protocol that's common to Linux. You can use the Syslog daemon built into Linux devices and appliances to collect local events of the types you specify, and have it send those events to Log Analytics Workspace. Applications send messages that might be stored on the local machine or delivered to a Syslog collector. When the Azure Monitor agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent when syslog collection is enabled in [data collection rule (DCR)](../essentials/data-collection-rule-overview.md). The Azure Monitor Agent then sends the messages to Azure Monitor/Log Analytics workspace where a corresponding syslog record is created in [Syslog table](https://learn.microsoft.com/azure/azure-monitor/reference/tables/syslog).
+
+![Diagram that shows Syslog collection.](media/data-sources-syslog/overview.png)
+
+![Diagram that shows Syslog daemon and Azure Monitor Agent communication.](media/azure-monitor-agent/linux-agent-syslog-communication.png)
+
+The following facilities are supported with the Syslog collector:
+* auth
+* authpriv
+* cron
+* daemon
+* mark
+* kern
+* lpr
+* mail
+* news
+* syslog
+* user
+* uucp
+* local0-local7
+
+For some device types that don't allow local installation of the Azure Monitor agent, the agent can be installed instead on a dedicated Linux-based log forwarder. The originating device must be configured to send Syslog events to the Syslog daemon on this forwarder instead of the local daemon. Please see [Sentinel documents](https://learn.microsoft.com/azure/sentinel/connect-syslog#architecture) for more information.
+
+## Configure Syslog
+
+The Azure Monitor agent for Linux will only collect events with the facilities and severities that are specified in its configuration. You can configure Syslog through the Azure portal or by managing configuration files on your Linux agents. 
+
+### Configure Syslog in the Azure portal
+Configure Syslog from the Data Collection Rules menu of the Azure Monitor. This configuration is delivered to the configuration file on each Linux agent.
+* Select Add data source.
+* For Data source type, select Linux syslog
+
+You can collect syslog events with different log level for each facility. By default, all syslog facility types will be collected. If you do not want to collect for example events of `auth`  type, select `none` in the `Minimum log level` list box for `auth` facility and save the changes. If you need to change default log level for syslog events and collect only events with log level starting “NOTICE” or higher priority, select “LOG_NOTICE” in “Minimum log level” list box. 
+
+By default, all configuration changes are automatically pushed to all agents that are configured in the DCR.
+
+### Create a data collection rule
+
+Create a *data collection rule* in the same region as your Log Analytics workspace.
+A data collection rule is an Azure resource that allows you to define the way  data should be handled as it's ingested into the workspace.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and open **Monitor**.
+1. Under **Settings**, select **Data Collection Rules**.
+1. Select **Create**.
+
+   :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-data-collection-rule.png" alt-text="Screenshot of the data collections rules pane with the create option selected.":::
+
+
+#### Add resources
+1. Select **Add resources**.
+1. Use the filters to find the virtual machine that you'll use to collect logs.
+   :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-rule-scope.png" alt-text="Screenshot of the page to select the scope for the data collection rule. ":::
+1. Select the virtual machine.
+1. Select **Apply**.
+1. Select **Next: Collect and deliver**.
+
+#### Add data source
+
+1. Select **Add data source**.
+1. For **Data source type**, select **Linux syslog**.
+   :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-rule-data-source.png" alt-text="Screenshot of page to select data source type and minimum log level.":::
+1. For **Minimum log level**, leave the default values **LOG_DEBUG**.
+1. Select **Next: Destination**.
+
+#### Add destination
+
+1. Select **Add destination**.
+
+   :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-rule-add-destination.png" alt-text="Screenshot of the destination tab with the add destination option selected.":::
+1. Enter the following values:
+
+   |Field   |Value |
+   |---------|---------|
+   |Destination type     | Azure Monitor Logs    |
+   |Subscription     | Select the appropriate subscription        |
+   |Account or namespace    |Select the appropriate Log Analytics workspace|
+
+1. Select **Add data source**.
+1. Select **Next: Review + create**.
+
+## Configure Syslog on Linux Agent 
+When the Azure Monitoring Agent is installed on Linux machine it installs a default Syslog configuration file that defines the facility and severity of the messages that are collected if syslog is enabled in DCR. The configuration file is different depending on the Syslog daemon that the client has installed. 
+
+### Rsyslog
+On many Linux distributions, the rsyslogd daemon is responsible for consuming, storing, and routing log messages sent using the Linux syslog API. Azure Monitor agent uses the unix domain socket output module (omuxsock) in rsyslog to forward log messages to the Azure Monitor Agent. The AMA installation includes default config files that get placed under the following directory:
+`/etc/opt/microsoft/azuremonitoragent/syslog/rsyslogconf/05-azuremonitoragent-loadomuxsock.conf`
+`/etc/opt/microsoft/azuremonitoragent/syslog/rsyslogconf/05-azuremonitoragent-loadomuxsock.conf`
+
+When syslog is added to data collection rule, these configuration files will be installed under `etc/rsyslog.d` system directory and rsyslog will be automatically restarted for the changes to take effect. These files are used by rsyslog to load the output module and forward the events to Azure Monitoring agent daemon using defined rules. The builtin omuxsock module cannot be loaded more than once. Therefore, the configurations for loading of the module and forwarding of the events with corresponding forwarding format template are split in two different files. Its default contents are shown in the following example. This example collects Syslog messages sent from the local agent for all facilities with all log levels.
+```
+$ cat /etc/rsyslog.d/10-azuremonitoragent.conf
+# Azure Monitor Agent configuration: forward logs to azuremonitoragent
+$OMUxSockSocket /run/azuremonitoragent/default_syslog.socket
+template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" string="<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%") 
+$OMUxSockDefaultTemplate AMA_RSYSLOG_TraditionalForwardFormat
+# Forwarding all events through Unix Domain Socket
+*.* :omuxsock: 
+```
+ 
+```
+$ cat /etc/rsyslog.d/05-azuremonitoragent-loadomuxsock.conf
+# Azure Monitor Agent configuration: load rsyslog forwarding module. 
+$ModLoad omuxsock
+```
+Note that on some legacy systems such as CentOS 7.3 we have seen rsyslog log formatting issues when using traditional forwarding format to send syslog events to Azure Monitor Agent and for these systems, Azure Monitor Agent is automatically placing legacy forwarder template instead: 
+`template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%\n")`
+
+
+### Syslog-ng 
+
+The configuration file for syslog-ng is installed at `/etc/opt/microsoft/azuremonitoragent/syslog/syslog-ngconf/azuremonitoragent.conf`. When Syslog collection is added to data collection rule, this configuration file will be placed under `/etc/syslog-ng/conf.d/azuremonitoragent.conf` system directory and syslog-ng will be automatically restarted for the changes to take effect. Its default contents are shown in this example. This example collects Syslog messages sent from the local agent for all facilities and all severities. 
+```
+$ cat /etc/syslog-ng/conf.d/azuremonitoragent.conf 
+# Azure MDSD configuration: syslog forwarding config for mdsd agent options {}; 
+
+# during install time, we detect if s_src exist, if it does then we 
+
+# replace it by appropriate source name like in redhat 's_sys' 
+
+# Forwrding using unix domain socket 
+
+destination d_azure_mdsd { 
+
+unix-dgram("/run/azuremonitoragent/default_syslog.socket" 
+
+flags(no_multi_line) 
+
+); 
+}; 
+
+log {	source(s_src); # will be automatically parsed from /etc/syslog-ng/syslog-ng.conf 
+destination(d_azure_mdsd); }; 
+```
+
+Note* Azure Monitor supports collection of messages sent by rsyslog or syslog-ng, where rsyslog is the default daemon. The default Syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) isn't supported for Syslog event collection. To collect Syslog data from this version of these distributions, the rsyslog daemon should be installed and configured to replace sysklog.
+
+Note* 
+If you edit the Syslog configuration, you must restart the Syslog daemon for the changes to take effect. 
+
+
+
+## Prerequisites
+You will need: 
+
+- Log Analytics workspace where you have at least [contributor rights](../logs/manage-access.md#azure-rbac).
+- [Data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint).
+- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-overview.md#permissions) in the workspace.
+
+## Syslog record properties
+
+Syslog records have a type of **Syslog** and have the properties shown in the following table.
+
+| Property | Description |
+|:--- |:--- |
+| Computer |Computer that the event was collected from. |
+| Facility |Defines the part of the system that generated the message. |
+| HostIP |IP address of the system sending the message. |
+| HostName |Name of the system sending the message. |
+| SeverityLevel |Severity level of the event. |
+| SyslogMessage |Text of the message. |
+| ProcessID |ID of the process that generated the message. |
+| EventTime |Date and time that the event was generated. |
+
+## Log queries with Syslog records
+
+The following table provides different examples of log queries that retrieve Syslog records.
+
+| Query | Description |
+|:--- |:--- |
+| Syslog |All Syslogs |
+| Syslog &#124; where SeverityLevel == "error" |All Syslog records with severity of error |
+| Syslog &#124; where Facility == "auth" |All Syslog records with auth facility type  |
+| Syslog &#124; summarize AggregatedValue = count() by Facility |Count of Syslog records by facility |
+
+## Next steps
+
+Learn more about: 
+
+- [Azure Monitor Agent](azure-monitor-agent-overview.md).
+- [Data collection rules](../essentials/data-collection-rule-overview.md).
+- [Best practices for cost management in Azure Monitor](../best-practices-cost.md).