SOLVED

Selective Logs per MMA (Log) Agent?

%3CLINGO-SUB%20id%3D%22lingo-sub-1967119%22%20slang%3D%22en-US%22%3ESelective%20Logs%20per%20MMA%20(Log)%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1967119%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20correct%20to%20assume%20there's%20currently%20no%20way%20to%20ether%20select%20a%20subset%20of%20stuff%20(say%20only%20DNS%2C%20only%20IIS%2C%20only%20Security)%20from%20each%20agent%20individually%20or%20by%20group%3F%20I%20don't%20see%20anything%20as%20an%20option%20anywhere...%20but%20I%20just%20want%20to%20double%20check.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndreas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1967344%22%20slang%3D%22en-US%22%3ERe%3A%20Selective%20Logs%20per%20MMA%20(Log)%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1967344%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F890890%22%20target%3D%22_blank%22%3E%40AndreasSky%3C%2FA%3E%26nbsp%3BYou%20are%20correct.%26nbsp%3B%20However%2C%20there%20is%20a%20public%20preview%20of%20the%20new%20Azure%20Monitor%20Agent%20that%20will%20allow%20you%20to%20do%20that.%26nbsp%3B%20For%20more%20information%20on%20the%20new%20agent%20go%20to%20these%20pages%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CP%3E%3CSPAN%3E%3CU%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fazure-monitor-agent-overview%3Ftabs%3Dcli1%252ccli2%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fazure-monitor-agent-overview%3Ftabs%3DCLI1%252CCLI2%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fazure-monitor-agent-overview%3Ftabs%3DCLI1%252CCLI2%3C%2FA%3E%3C%2FU%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CU%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collection-rule-azure-monitor-agent%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collection-rule-azure-monitor-agent%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collection-rule-azure-monitor-agent%3C%2FA%3E%3C%2FU%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1968517%22%20slang%3D%22en-US%22%3ERe%3A%20Selective%20Logs%20per%20MMA%20(Log)%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1968517%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20immediate%20answer.%20Am%20I%20correct%20(as%20I%20haven't%20used%20Arc%20before)%20that%20the%20machine%20needs%20to%20be%20Arc-enabled%20just%20on%20the%20free%20tier%20to%20deploy%2Fmanage%20this%20agent%3F%20Does%20the%20Linux%20AMA%20one%20support%20Syslog%2FCEF%20similarly%20to%20the%20MMA%20one%20or%20should%20we%20use%20MMA%20for%20Syslog%2FCEF%20forwarding%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1968590%22%20slang%3D%22en-US%22%3ERe%3A%20Selective%20Logs%20per%20MMA%20(Log)%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1968590%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F890890%22%20target%3D%22_blank%22%3E%40AndreasSky%3C%2FA%3E%26nbsp%3BAs%20of%20right%20now%2C%20any%20non-Azure%20virtual%20machines%20will%20need%20to%20be%20Arc-enabled%20in%20order%20to%20have%20the%20agent%20installed%20on%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20100%25%20sure%20of%20the%20answer%20(as%20I%20have%20not%20played%20with%20Linux%20as%20much%20as%20Windows)%20to%20your%20second%20question%20but%20I%20am%20fairly%20certain%20it%20does%20handle%20Syslog%2FCEF%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello everyone!

 

Am I correct to assume there's currently no way to ether select a subset of stuff (say only DNS, only IIS, only Security) from each agent individually or by group? I don't see anything as an option anywhere... but I just want to double check.

 

 

Andreas

6 Replies
Best Response confirmed by AndreasSky (Occasional Contributor)
Solution

@AndreasSky You are correct.  However, there is a public preview of the new Azure Monitor Agent that will allow you to do that.  For more information on the new agent go to these pages:

 

@Gary Bushey Thank you for the immediate answer. Am I correct (as I haven't used Arc before) that the machine needs to be Arc-enabled just on the free tier to deploy/manage this agent? Does the Linux AMA one support Syslog/CEF similarly to the MMA one or should we use MMA for Syslog/CEF forwarding?

@AndreasSky As of right now, any non-Azure virtual machines will need to be Arc-enabled in order to have the agent installed on it.

 

I am not 100% sure of the answer (as I have not played with Linux as much as Windows) to your second question but I am fairly certain it does handle Syslog/CEF

@Gary Bushey Yes I saw that on the pages you linked but there are 2 tiers on Azure Arc. Free and 6bucks/server. Any idea if the free one is enough for the agent install/config or is the paid policy one needed?

@AndreasSky The free tier is enough