Monitoring Syslog from OMS with non-oms agents

By | February 22, 2016

So this weekend I was tasked with trying to setup OMS syslog monitoring against Linux targets which was not supported as part of the OMS agents. Now the supported list of OMS Linux agents are the following:

Amazon Linux 2012.09 –> 2015.09 (x86/x64)
CentOS Linux 5,6, and 7 (x86/x64)
Oracle Linux 5,6, and 7 (x86/x64)
Red Hat Enterprise Linux Server 5,6 and 7 (x86/x64)
Debian GNU/Linux 6, 7, and 8 (x86/x64)
Ubuntu 12.04 LTS, 14.04 LTS, 15.04, 15.10 (x86/x64)
SUSE Linux Enteprise Server 11 and 12 (x86/x64)

Now since many have network devices which run non of these operating systems I needed to setup something which would allow me to forward the Syslog events from other devices and then forward it to OMS. So what I came up with was setting up a Syslog collector on a supported OMS agent operating system. So I setup a Ubuntu 14.04 virtual machine which was going to be used as a syslog collector

image  

The simplest way was to use the built-in service rsyslog on ubuntu to configure it for remote collection, by default it is only used for local syslogging it does not accept remote syslogs.

Now as mentioned this requires a simple machine running Ubuntu 14.04 or 15.04. From the terminal we need to configure rsyslog.conf which is located under /etc folder

From there you need to change file, which can be done using VIM or VI. In the Conf file you need to remove # in front of the ModLoad and UDPServerRun which will allow the syslog daemon to gather from remote sessions.

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Next you need to add this line before the GLOBAL DIRECTIVES part of the confing file.

$template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log” *
*.*  ?RemoteLogs

This is used for the syslog daemon to create syslog files under /var/log where all the log files will be named after the remote host that forwards information.

After this is configured you need to restart the rsyslog feature,

sudo /etc/init.d/rsyslog restart

image

Now we should see that the syslog folder will be populated under the folder of the host name.

After this is done you need to install the OMS agent using the following commands

$> wget https://github.com/Microsoft/OMS-Agent-for-Linux/releases/download/v1.1.0-28/omsagent-1.1.0-28.universal.x64.sh

$> chmod +x ./omsagent-1.1.0-28.universal.x64.sh

$> md5sum ./omsagent-1.1.0-28.universal.x64.sh

$> ./omsagent-1.1.0-28.universal.x64.sh –upgrade -w <YOUR OMS WORKSPACE ID> -s <YOUR OMS WORKSPACE PRIMARY KEY>

After the OMS agent is configured. Then we need to configure the syslog collector from within OMS

image

Then we can go into Log Search, we can go into the Syslog viewer and drill into the different alerts.

image

So in this case I just configured regular Syslog setup from a Cisco ASA and a Citrix NetScaler to forward to the Ubuntu server.

Leave a Reply

Your email address will not be published. Required fields are marked *