Collect log data with the Azure Log Analytics agent

The Azure Log Analytics agent, previously referred to as the Microsoft Monitoring Agent (MMA) or OMS Linux agent, was developed for comprehensive management across on-premises machines, computers monitored by System Center Operations Manager, and virtual machines in any cloud. The Windows and Linux agents attach to an Azure Monitor and store collected log data from different sources in your Log Analytics workspace, as well as any unique logs or metrics as defined in a monitoring solution.

This article provides a detailed overview of the agent, system and network requirements, and the different deployment methods.

Overview

Log Analytics agent communication diagram

Before analyzing and acting on collected data, you first need to install and connect agents for all of the machines that you want to send data to the Azure Monitor service. You can install agents on your Azure VMs using the Azure Log Analytics VM extension for Windows and Linux, and for machines in a hybrid environment using setup, command line, or with Desired State Configuration (DSC) in Azure Automation.

The agent for Linux and Windows communicates outbound to the Azure Monitor service over TCP port 443, and if the machine connects through a firewall or proxy server to communicate over the Internet, review requirements below to understand the network configuration required. If your IT security policies do not allow computers on the network to connect to the Internet, you can set up a Log Analytics gateway and then configure the agent to connect through the gateway to Azure Monitor logs. The agent can then receive configuration information and send data collected depending on what data collection rules and monitoring solutions you have enabled in your workspace.

If you are monitoring a computer with System Center Operations Manager 2012 R2 or later, it can be multi-homed with the Azure Monitor service to collect data and forward to the service and still be monitored by Operations Manager. With Linux computers, the agent doesn't include a health service component as the Windows agent does, and information is collected and processes by a management server on its behalf. Because Linux computers are monitored differently with Operations Manager, they do not receive configuration or collect data directly, and forward through the management group like a Windows agent-managed system does. As a result, this scenario isn't supported with Linux computers reporting to Operations Manager.

The Windows agent can report up to four Log Analytics workspaces, while the Linux agent only supports reporting to a single workspace.

The agent for Linux and Windows isn't only for connecting to Azure Monitor, it also supports Azure Automation to host the Hybrid Runbook worker role and other services such as Change Tracking and Update Management. For more information about the Hybrid Runbook Worker role, see Azure Automation Hybrid Runbook Worker.

Supported Windows operating systems

The following versions of the Windows operating system are officially supported for the Windows agent:

  • Windows Server 2019
  • Windows Server 2008 R2, 2012, 2012 R2, 2016, version 1709 and 1803
  • Windows 7 SP1 and later

Supported Linux operating systems

This section provides details about the supported Linux distributions.

Starting with versions released after August 2018, we are making the following changes to our support model:

  • Only the server versions are supported, not client.
  • New versions of Azure Linux Endorsed distros are always supported.
  • All minor releases are supported for each major version listed.
  • Versions that have passed their manufacturer's end-of-support date are not supported.
  • New versions of AMI are not supported.
  • Only versions that run SSL 1.x by default are supported.

If you are using a distro or version that is not currently supported and doesn't align to our support model, we recommend that you fork this repo, acknowledging that Microsoft support will not provide assistance with forked agent versions.

  • Amazon Linux 2017.09 (x64)
  • CentOS Linux 6 (x86/x64) and 7 (x64)
  • Oracle Linux 6 and 7 (x86/x64)
  • Red Hat Enterprise Linux Server 6 (x86/x64) and 7 (x64)
  • Debian GNU/Linux 8 and 9 (x86/x64)
  • Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64)
  • SUSE Linux Enterprise Server 12 (x64)

Note

OpenSSL 1.1.0 is only supported on x86_x64 platforms (64-bit) and OpenSSL earlier than 1.x is not supported on any platform.

TLS 1.2 protocol

To insure the security of data in transit to Azure Monitor logs, we strongly encourage you to configure the agent to use at least Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended. For additional information, review Sending data securely using TLS 1.2.

Network firewall requirements

The information below list the proxy and firewall configuration information required for the Linux and Windows agent to communicate with Azure Monitor logs.

Agent Resource Ports Direction Bypass HTTPS inspection
*.ods.opinsights.azure.com Port 443 Outbound Yes
*.oms.opinsights.azure.com Port 443 Outbound Yes
*.blob.core.windows.net Port 443 Outbound Yes
*.azure-automation.net Port 443 Outbound Yes

For firewall information required for Azure Government, see Azure Government management.

If you plan to use the Azure Automation Hybrid Runbook Worker to connect to and register with the Automation service to use runbooks in your environment, it must have access to the port number and the URLs described in Configure your network for the Hybrid Runbook Worker.

The Windows and Linux agent supports communicating either through a proxy server or Log Analytics gateway to Azure Monitor using the HTTPS protocol. Both anonymous and basic authentication (username/password) are supported. For the Windows agent connected directly to the service, the proxy configuration is specified during installation or after deployment from Control Panel or with PowerShell.

For the Linux agent, the proxy server is specified during installation or after installation by modifying the proxy.conf configuration file. The Linux agent proxy configuration value has the following syntax:

[protocol://][user:password@]proxyhost[:port]

Note

If your proxy server does not require you to authenticate, the Linux agent still requires providing a pseudo user/password. This can be any username or password.

Property Description
Protocol https
user Optional username for proxy authentication
password Optional password for proxy authentication
proxyhost Address or FQDN of the proxy server/Log Analytics gateway
port Optional port number for the proxy server/Log Analytics gateway

For example: https://user01:password@proxy01.contoso.com:30443

Note

If you use special characters such as “@” in your password, you receive a proxy connection error because value is parsed incorrectly. To work around this issue, encode the password in the URL using a tool such as URLDecode.

Install and configure agent

Connecting machines in your Azure subscription or hybrid environment directly with Azure Monitor logs can be accomplished using different methods depending on your requirements. The following table highlights each method to determine which works best in your organization.

Source Method Description
Azure VM - Log Analytics VM extension for Windows or Linux using Azure CLI or with an Azure Resource Manager template
- Manually from the Azure portal.
The extension installs the Log Analytics agent on Azure virtual machines and enrolls them into an existing Azure Monitor workspace.
Hybrid Windows computer - Manual install
- Azure Automation DSC
- Resource Manager template with Azure Stack
Install the Microsoft Monitoring agent from the command line or using an automated method such as Azure Automation DSC, System Center Configuration Manager, or with an Azure Resource Manager template if you have deployed Microsoft Azure Stack in your datacenter.
Hybrid Linux computer Manual install Install the agent for Linux calling a wrapper-script hosted on GitHub.
System Center Operations Manager Integrate Operations Manager with Log Analytics Configure integration between Operations Manager and Azure Monitor logs to forward collected data from Windows computers reporting to a management group.

Next steps

  • Review data sources to understand the data sources available to collect data from your Windows or Linux system.

  • Learn about log queries to analyze the data collected from data sources and solutions.

  • Learn about monitoring solutions that add functionality to Azure Monitor and also collect data into the Log Analytics workspace.