Merge pull request #239525 from NarineM/main

Jill Grant · web-flow · commit 8678b04d6c7c · 2023-05-30T20:53:28.000-06:00
Update ama syslog and sentinel articles
diff --git a/articles/azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md b/articles/azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md
@@ -6,8 +6,9 @@ ms.date: 5/3/2022
 ms.custom: references_region
 ms.reviewer: shseth
 ---
-# Syslog issue troubleshooting guide for Azure Monitor Linux Agent
-Here's how AMA collects syslog events:  
+# Syslog troubleshooting guide for Azure Monitor Linux Agent
+
+Overview of Azure Monitor Linux Agent syslog collection and supported RFC standards:
 
 - AMA installs an output configuration for the system syslog daemon during the installation process. The configuration file specifies the way events flow between the syslog daemon and AMA.
 - For `rsyslog` (most Linux distributions), the configuration file is `/etc/rsyslog.d/10-azuremonitoragent.conf`. For `syslog-ng`, the configuration file is `/etc/syslog-ng/conf.d/azuremonitoragent.conf`.
@@ -19,19 +20,21 @@ Here's how AMA collects syslog events:
 	> [!NOTE]
 	> AMA uses local persistency by default, all events received from `rsyslog` / `syslog-ng` are queued in `/var/opt/microsoft/azuremonitoragent/events` if they fail to be uploaded.
 	
-## Rsyslog data not uploaded due to full disk space issue on Azure Monitor Linux Agent
+## Issues
+
+### Rsyslog data not uploaded due to full disk space issue on Azure Monitor Linux Agent
 
-### Symptom
+#### Symptom
 **Syslog data is not uploading**: When inspecting the error logs at `/var/opt/microsoft/azuremonitoragent/log/mdsd.err`, you'll see entries about *Error while inserting item to Local persistent store…No space left on device* similar to the following snippet:
 
 ```
 2021-11-23T18:15:10.9712760Z: Error while inserting item to Local persistent store syslog.error: IO error: No space left on device: While appending to file: /var/opt/microsoft/azuremonitoragent/events/syslog.error/000555.log: No space left on device
 ```
 
-### Cause
+#### Cause
 Linux AMA buffers events to `/var/opt/microsoft/azuremonitoragent/events` prior to ingestion. On a default Linux AMA install, this directory will take ~650MB of disk space at idle. The size on disk will increase when under sustained logging load. It will get cleaned up about every 60 seconds and will reduce back to ~650 MB when the load returns to idle.
 
-### Confirming the issue of full disk
+#### Confirming the issue of full disk
 The `df` command shows almost no space available on `/dev/sda1`, as shown below:
 
 ```bash
@@ -73,12 +76,12 @@ none      849   root  txt    REG    0,1       8632     0 16764 / (deleted)
 rsyslogd 1484 syslog   14w   REG    8,1 3601566564     0 35280 /var/log/syslog (deleted)
 ```
 
-## Issue: rsyslog default configuration logs all facilities to /var/log/syslog
+### Rsyslog default configuration logs all facilities to /var/log/syslog
 On some popular distros (for example Ubuntu 18.04 LTS), rsyslog ships with a default configuration file (`/etc/rsyslog.d/50-default.conf`) which will log events from nearly all facilities to disk at `/var/log/syslog`.
 
 AMA doesn't rely on syslog events being logged to `/var/log/syslog`. Instead, it configures rsyslog to forward events over a socket directly to the azuremonitoragent service process (mdsd).
 
-### Fix: Remove high-volume facilities from /etc/rsyslog.d/50-default.conf
+#### Fix: Remove high-volume facilities from /etc/rsyslog.d/50-default.conf
 If you're sending a high log volume through rsyslog, consider modifying the default rsyslog config to avoid logging these events to this location `/var/log/syslog`. The events for this facility would still be forwarded to AMA because of the config in `/etc/rsyslog.d/10-azuremonitoragent.conf`.
 
 1. For example, to remove local4 events from being logged at `/var/log/syslog`, change this line in `/etc/rsyslog.d/50-default.conf` from this:
@@ -93,7 +96,7 @@ If you're sending a high log volume through rsyslog, consider modifying the defa
 	```
 2. `sudo systemctl restart rsyslog`
 
-## Issue: Azure Monitor Linux Agent Event Buffer is Filling Disk
+### Azure Monitor Linux Agent Event Buffer is Filling Disk
 If you observe the `/var/opt/microsoft/azuremonitor/events` directory growing unbounded (10 GB or higher) and not reducing in size, [file a ticket](#file-a-ticket) with **Summary** as 'AMA Event Buffer is filling disk' and **Problem type** as 'I need help configuring data collection from a VM'.
 
 [!INCLUDE [azure-monitor-agent-file-a-ticket](../../../includes/azure-monitor-agent/azure-monitor-agent-file-a-ticket.md)]
diff --git a/articles/azure-monitor/agents/data-collection-syslog.md b/articles/azure-monitor/agents/data-collection-syslog.md
@@ -31,7 +31,7 @@ The following facilities are supported with the Syslog collector:
 * uucp
 * local0-local7
 
-For some device types that don't allow local installation of the Azure Monitor agent, the agent can be installed instead on a dedicated Linux-based log forwarder. The originating device must be configured to send Syslog events to the Syslog daemon on this forwarder instead of the local daemon. Please see [Sentinel documents](https://learn.microsoft.com/azure/sentinel/connect-syslog#architecture) for more information.
+For some device types that don't allow local installation of the Azure Monitor agent, the agent can be installed instead on a dedicated Linux-based log forwarder. The originating device must be configured to send Syslog events to the Syslog daemon on this forwarder instead of the local daemon. Please see [Sentinel tutorial](../../sentinel/forward-syslog-monitor-agent.md) for more information.
 
 ## Configure Syslog
 
@@ -91,6 +91,13 @@ A data collection rule is an Azure resource that allows you to define the way  d
 1. Select **Add data source**.
 1. Select **Next: Review + create**.
 
+### Create rule
+
+1. Select **Create**.
+1. Wait 20 minutes before moving on to the next section.
+
+If your VM doesn't have the Azure Monitor agent installed, the data collection rule deployment triggers the installation of the agent on the VM.
+
 ## Configure Syslog on Linux Agent 
 When the Azure Monitoring Agent is installed on Linux machine it installs a default Syslog configuration file that defines the facility and severity of the messages that are collected if syslog is enabled in DCR. The configuration file is different depending on the Syslog daemon that the client has installed. 
 
diff --git a/articles/sentinel/forward-syslog-monitor-agent.md b/articles/sentinel/forward-syslog-monitor-agent.md
@@ -10,7 +10,7 @@ ms.custom: template-tutorial
 #Customer intent: As a security-engineer, I want to get syslog data into Microsoft Sentinel so that I can use the data with other data to do attack detection, threat visibility, proactive hunting, and threat response. As an IT administrator, I want to get syslog data into my Log Analytics workspace to monitor my linux-based devices.
 ---
 
-# Tutorial: Forward syslog data to a Log Analytics workspace by using the Azure Monitor agent with Microsoft Sentinel
+# Tutorial: Forward syslog data to a Log Analytics workspace with Microsoft Sentinel by using the Azure Monitor agent
 
 In this tutorial, you'll configure a Linux virtual machine (VM) to forward syslog data to your workspace by using the Azure Monitor agent. These steps allow you to collect and monitor data from Linux-based devices where you can't install an agent like a firewall network device.
  
@@ -47,67 +47,7 @@ To complete the steps in this tutorial, you must have the following resources an
 
 ## Create a data collection rule
 
-Create a *data collection rule* in the same region as your Microsoft Sentinel workspace.
-A data collection rule is an Azure resource that allows you to define the way  data should be handled as it's ingested into Microsoft Sentinel.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for and open **Monitor**.
-1. Under **Settings**, select **Data Collection Rules**.
-1. Select **Create**.
-
-   :::image type="content" source="media/forward-syslog-monitor-agent/create-data-collection-rule.png" alt-text="Screenshot of the data collections rules pane with the create option selected.":::
-
-### Enter basic information
-
-1. On the **Basics** pane, enter the following information:
-
-   |Field   |Value |
-   |---------|---------|
-   |Rule Name     | Enter a name like   dcr-syslog     |
-   |Subscription     | Select the appropriate subscription        |
-   |Resource group     |    Select the appropriate resource group     |
-   |Region     |  Select the same region that your Microsoft Sentinel workspace is located      |
-   |Platform Type     |    Linux     |
-1. Select **Next: Resources**.
-
-### Add resources
-1. Select **Add resources**.
-1. Use the filters to find the virtual machine that you'll use to collect logs.
-   :::image type="content" source="media/forward-syslog-monitor-agent/create-rule-scope.png" alt-text="Screenshot of the page to select the scope for the data collection rule. ":::
-1. Select the virtual machine.
-1. Select **Apply**.
-1. Select **Next: Collect and deliver**.
-
-### Add data source
-
-1. Select **Add data source**.
-1. For **Data source type**, select **Linux syslog**.
-   :::image type="content" source="media/forward-syslog-monitor-agent/create-rule-data-source.png" alt-text="Screenshot of page to select data source type and minimum log level":::
-1. For **Minimum log level**, leave the default values **LOG_DEBUG**.
-1. Select **Next: Destination**.
-
-### Add destination
-
-1. Select **Add destination**.
-
-   :::image type="content" source="media/forward-syslog-monitor-agent/create-rule-add-destination.png" alt-text="Screenshot of the destination tab with the add destination option selected.":::
-1. Enter the following values:
-
-   |Field   |Value |
-   |---------|---------|
-   |Destination type     | Azure Monitor Logs    |
-   |Subscription     | Select the appropriate subscription        |
-   |Account or namespace    |Select the appropriate Log Analytics workspace|
-
-1. Select **Add data source**.
-1. Select **Next: Review + create**.
-
-### Create rule
-
-1. Select **Create**.
-1. Wait 20 minutes before moving on to the next section.
-
-If your VM doesn't have the Azure Monitor agent installed, the data collection rule deployment triggers the installation of the agent on the VM.
+See step by step guide [here](../azure-monitor/agents/data-collection-syslog.md#create-a-data-collection-rule).
 
 ## Verify the Azure Monitor agent is running
 
@@ -189,5 +129,8 @@ Evaluate whether you still need the resources you created like the virtual machi
 
 ## Next steps
 
+Learn more about: 
+
 > [!div class="nextstepaction"]
 > [Data collection rules in Azure Monitor](../azure-monitor/essentials/data-collection-rule-overview.md)
+> [Collect syslog with Azure Monitor Agent overview](../azure-monitor/agents/data-collection-syslog.md)
