Azure Monitor Agent extension versions

This article describes the version details for the Azure Monitor Agent virtual machine extension. This extension deploys the agent on virtual machines, scale sets, and Arc-enabled servers (on-premises servers with Azure Arc agent installed).

Note

The product group only supports Azure Monitoring Agent versions within the last 1 year. Customers should update to an agent version within this period.

We strongly recommend that you always update to the latest version.

Caution

This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.

Version details

Release Date Release notes Windows Linux
November 2024 Windows Features
  • Update priorities for selection of ARC/AMA/System Proxy. Some customers have had difficulties with the default proxy selections
  • Populate SourceHostname column in Sentinel's Windows Firewall Logs (ASimNetworkSessionLogs table)
  • Resolve data latency issues for Sentinel's DNS activity logs (ASimDnsActivityLogs table)
  • Customize blob path for AMA storage blob for a partner
  • Update Troubleshooter to version 1.6.37
  • Update Metric Extension to version 2.2024.930.1245
1.31.0
October 2024 Windows Features
  • AMA: Updating AMA proxy settings to allow the Arc proxy to be bypassed
  • AMA: Custom Logs support Timestamp as delimiter (for MMA parity). You must deploy it using a DCR template or through the CLI. UI support is coming in the December release.
  • Enhance security for file operation when data folder contain redirection
  • Update MetricsExtension version to v2.2024.726.1005
1.30.0
September 2024 Linux Features
  • Support for Azure Linux 3, Ubuntu 24.04 LTS, and Amazon Linux 2023
  • Arm64 support for Azure Linux 3 and Ubuntu 24.04 LTS
  • Support timestamp-delimited Custom Text Logs for parity with OMS agent
Linux Fixes
  • Limit how frequently AMA writes its own log messages when the disk full; this fixes an error were logging that the disk is full makes the issue worse
  • Fix a crash that can occur when sending events to an unavailable Event Hub
  • Reduce resource utilization when sending events to an unavailable Event Hub
  • Fix for syslog-ng misconfiguration that caused syslog-ng service startup failure on rpm-based distros
  • Fix a crash that could occur when parsing syslog messages with a . character in the app/process name
  • Fix a unicode parsing issue that could cause install failures on certain system locales
1.33.1
August 2024 Windows
  • Added columns to the SecurityEvent table: Keywords, Opcode, Correlation, ProcessId, ThreadId, EventRecordId.
  • AMA: Support AMA Client Installer support for W365 Azure Virtual Desktop (AVD) tenants/partners.
  • Fix for missing logs in the 'RenderedDescription' column.
Linux Features
  • Enable Dynamic Linking of OpenSSL 1.1 in all regions
  • Add Computer field to Custom Logs
  • Add EventHub upload support for Custom Logs
  • Reliability improvement for upload task scheduling
  • Added support for SUSE15 SP5, and AWS 3 distributions
Linux Fixes
  • Fix Direct upload to storage for perf counters when no other destination is configured. You don't see perf counters If storage was the only configured destination for perf counters, they wouldn't see perf counters in their blob or table.
  • Fluent-Bit updated to version 3.0.7. This fixes the issue with Fluent-Bit creating junk files in the root directory on process shutdown.
  • Fix proxy for system-wide proxy using http(s)_proxy env var
  • Support for syslog hostnames that are up to 255characters
  • Stop sending rows longer than 1MB. This exceeds ingestion limits and destabilizes the agent. Now the row is gracefully dropped and a diagnostic message is written.
  • Set max disk space used for rsyslog spooling to 1GB. There was no limit before which could lead to high memory usage.
  • Use random available TCP port when there is a port conflict with AMA port 28230 and 28330 . This resolved issues where port 28230 and 28330 were already in uses by the customer which prevented data upload to Azure.
  • Fix to AMACoreAgent crash in certain architectures affecting custom log collection
1.29 1.32.6
June 2024 Windows
  • Fix encoding issues with Resource ID field.
  • AMA: Support new ingestion endpoint for GovSG environment.
  • Upgrade AzureSecurityPack version to 4.33.0.1.
  • Upgrade Metrics Extension version to 2.2024.517.533.
  • Upgrade Health Extension version to 2024.528.1.
1.28.2
May 2024 Windows
  • Upgraded Fluent-bit version to 3.0.5. This Fix resolves as security issue in fluent-bit (NVD - CVE-2024-4323 (nist.gov)
  • Disabled Fluent-bit logging that caused disk exhaustion issues for some customers. Example error is Fluentbit log with "[C:\projects\fluent-bit-2e87g\src\flb_scheduler.c:72 errno=0] No error" fills up the entire disk of the server.
  • Fixed AMA extension getting stuck in deletion state on some VMs that are using Arc. This fix improves reliability.
  • Fixed AMA not using system proxy, this issue is a bug introduced in 1.26.0. The issue was caused by a new feature that uses the Arc agent’s proxy settings. When the system proxy as set as None the proxy was broken in 1.26.
  • Fixed Windows Firewall Logs log file rollover issues
1.27.0
April 2024 Windows
  • In preparation for the May 17 public preview of Firewall Logs, the agent completed the addition of a profile filter for Domain, Public, and Private Logs.
  • AMA running on an Arc enabled server will default to using the Arc proxy settings if available.
  • The AMA VM extension proxy settings override the Arc defaults.
  • Bug fix in MSI installer: Symptom - If there are spaces in the fluent-bit config path, AMA wasn't recognizing the path properly. AMA now adds quotes to configuration path in fluent-bit.
  • Bug fix for Container Insights: Symptom - custom resource ID weren't being honored.
  • Security issue fix: skip the deletion of files and directory whose path contains a redirection (via Junction point, Hard links, Mount point, OB Symlinks etc.).
  • Updating MetricExtension package to 2.2024.328.1744.
Linux
  • AMA 1.30 now available in Arc.
  • New distribution support Debian 12, RHEL CIS L2.
  • Fix for mdsd version 1.30.3 in persistence mode, which converted positive integers to float/double values ("3.0", "4.0") to type ulong which broke Azure stream analytics.
1.26.0 1.31.1
March 2024 **Known Issues - ** a change in 1.25.0 to the encoding of resource IDs in the request headers to the ingestion end point has disrupted SQL ATP. This is causing failures in alert notifications to the Microsoft Detection Center (MDC) and potentially affecting billing events. Symptom is not seeing expected alerts related to SQL security threats. 1.25.0 didn't release to all data centers and it wasn't identified for auto update in any data center. Customers that did upgrade to 1.25.0 should roll back to 1.24.0

Windows
  • Breaking Change from Public Preview to GA Due to customer feedback, automatic parsing of JSON into column in your custom table in Log Analytic was added. You must take action to migrate your JSON DCR created before this release to prevent data loss. This fix is the last before the release of the JSON Log type in Public Preview.
  • Fix AMA when resource ID contains non-ascii chars, which is common when using some languages other than English. Errors would follow this pattern: … [HealthServiceCommon] [] [Error] … WinHttpAddRequestHeaders(x-ms-AzureResourceId: /subscriptions/{your subscription #} /resourceGroups/???????/providers/ … PostDataItems" failed with code 87(ERROR_INVALID_PARAMETER)
Linux
  • The AMA agent now supports Debian 12 and RHEL9 CIS L2 distribution.
1.25.0 1.31.0
February 2024 Known Issues
  • Occasional crash during startup in Arm64 VMs. The fix is in 1.30.3
Windows
  • Fix memory leak in Internet Information Service (IIS) log collection
  • Fix JSON parsing with Unicode characters for some ingestion endpoints
  • Allow Client installer to run on Azure Virtual Desktop (AVD) DevBox partner
  • Enable Transport Layer Security (TLS) 1.3 on supported Windows versions
  • Update MetricsExtension package to 2.2024.202.2043
Linux
  • Features
    • Add EventTime to syslog for parity with OMS agent
    • Add more Common Event Format (CEF) format support
    • Add CPU quotas for Azure Monitor Agent (AMA)
  • Fixes
    • Handle truncation of large messages in syslog due to Transmission Control Protocol (TCP) framing issue
    • Set NO_PROXY for Instance Metadata Service (IMDS) endpoint in AMA Python wrapper
    • Fix a crash in syslog parsing
    • Add reasonable limits for metadata retries from IMDS
    • No longer reset /var/log/azure folder permissions
1.24.0 1.30.3
1.30.2
January 2024 Known Issues
  • 1.29.5 doesn't install on Arc-enabled servers because the agent extension code size is beyond the deployment limit set by Arc. This issue was fixed in 1.29.6
Windows
  • Added support for Transport Layer Security (TLS) 1.3
  • Reverted a change to enable multiple IIS subscriptions to use same filter. Feature is redeployed once memory leak is fixed
  • Improved Event Trace for Windows (ETW) event throughput rate
Linux
  • Fix error messages logged, intended for mdsd.err, that instead went to mdsd.warn in 1.29.4 only. Likely error messages: "Exception while uploading to Gig-LA: ...", "Exception while uploading to ODS: ...", "Failed to upload to ODS: ..."
  • Reduced noise generated by AMAs' use of semanage when SELinux is enabled
  • Handle time parsing in syslog to handle Daylight Savings Time (DST) and leap day
1.23.0 1.29.5, 1.29.6
December 2023 Known Issues
  • 1.29.4 doesn't install on Arc-enabled servers because the agent extension code size is beyond the deployment limit set by Arc. Fix is coming in 1.29.6
  • Multiple IIS subscriptions cause a memory leak. feature reverted in 1.23.0
Windows
  • Prevent CPU spikes by not using bookmark when resetting an Event Log subscription
  • Added missing Fluent Bit executable to AMA client setup for Custom Log support
  • Updated to latest AzureCredentialsManagementService and DsmsCredentialsManagement package
  • Update ME to v2.2023.1027.1417
Linux
  • Support for TLS v1.3
  • Support for nopri in Syslog
  • Ability to set disk quota from Data Collection Rule (DCR) Agent Settings
  • Add Arm64 Ubuntu 22 support
  • Fixes
    • SysLog
      • Parse syslog Palo Alto CEF with multiple space characters following the hostname
      • Fix an issue with incorrectly parsing messages containing two '\n' chars in a row
      • Improved support for non-RFC compliant devices
      • Support Infoblox device messages containing both hostname and IP headers
    • Fix AMA crash in Read Hat Enterprise Linux (RHEL) 7.2
    • Remove dependency on "which" command
    • Fix port conflicts due to AMA using 13000
    • Reliability and Performance improvements
1.22.0 1.29.4
October 2023 Windows
  • Minimize CPU spikes when resetting an Event Log subscription
  • Enable multiple IIS subscriptions to use same filter
  • Clean up files and folders for inactive tenants in multitenant mode
  • AMA installer doesn't install unnecessary certs
  • AMA emits Telemetry table locally
  • Update Metric Extension to v2.2023.721.1630
  • Update AzureSecurityPack to v4.29.0.4
  • Update AzureWatson to v1.0.99
Linux
  • Add support for Process metrics counters for Log Analytics upload and Azure Monitor Metrics
  • Use rsyslog omfwd TCP for improved syslog reliability
  • Support Palo Alto CEF logs where hostname is followed by two spaces
  • Bug and reliability improvements
1.21.0 1.28.11
September 2023 Windows
  • Fix issue with high CPU usage due to excessive Windows Event Logs subscription reset
  • Reduce Fluent Bit resource usage by limiting tracked files older than three days and limiting logging to errors only
  • Fix race condition where resource_id is unavailable when agent is restarted
  • Fix race-condition when vm-extension provision agent (also known as GuestAgent) is issuing a disable-vm-extension command to AMA
  • Update MetricExtension version to 2.2023.721.1630
  • Update Troubleshooter to v1.5.14
1.20.0 None
August 2023 Windows
  • AMA: Allow prefixes in the tag names to handle regression
  • Updating package version for AzSecPack 4.28 release
1.19.0 None
July 2023 Windows
  • Fix crash when Event Log subscription callback throws errors.
  • MetricExtension updated to 2.2023.609.2051
1.18.0 None
June 2023 Windows
  • Add new FilePath column to custom logs table. You must manually add the column to your custom table
  • Config setting to disable custom IMDS endpoint in Tenant.json file
  • Fluent Bit binaries signed with Microsoft customer Code Sign cert
  • Minimize number of retries on calls to refresh tokens
  • Don't overwrite resource ID with empty string
  • AzSecPack updated to version 4.27
  • AzureProfiler and AzurePerfCollector updated to version 1.0.0.990
  • MetricsExtension updated to version 2.2023.513.10
  • Troubleshooter updated to version 1.5.0
Linux
  • To identify forwarder/collector machine, add new column CollectorHostName to syslog table
  • Link OpenSSL dynamically
  • Fixes
    • Allow uploads soon after AMA startup
    • To avoid thread pool scheduling issues, run LocalSink Garbage Collector on a dedicated thread
    • Fix upgrade restart of disabled services
    • Handle Linux Hardening where sudo on root is blocked
    • CEF processing fixes for noncompliant Request For Comment (RFC) 5424 logs
    • Adaptive Security Appliance (ASA) tenant can fail to start up due to config-cache directory permissions
    • Fix auth proxy in AMA
    • Fix to remove null characters in agentlauncher.log after log rotation
    • Fix for authenticated proxy(1.27.3)
    • Fix regression in Virtual Machine (VM) Insights(1.27.4)
1.17.0 1.27.4
May 2023 Windows
  • Enable Large Event support for all regions
  • Update to TroubleShooter 1.4.0
  • Fixed issue when Event Log subscription became invalid and wouldn't resubscribe
  • AMA: Fixed issue with Large Event sending too large data. Also affecting Custom Log
Linux
  • Support for CIS and SELinux hardening
  • Include Ubuntu 22.04 (Jammy Jellyfish) in azure-mdsd package publishing
  • Move storage SDK patch to build container
  • Add system Telegraf counters to AMA
  • Drop msgpack and syslog data if not configured in active configuration
  • Limit the events sent to Public ingestion pipeline
  • Fixes
    • Fix mdsd crash in init when in persistent mode
    • To avoid a race condition, remove FdClosers from ProtocolListeners
    • Fix sed regex special character escaping issue in rpm macro for CentOS 7.3 (Maipo)
    • Fix latency and future timestamp issue
    • Install AMA syslog configs only if customer is opted in for syslog in DCR
    • Fix heartbeat time check
    • Skip unnecessary cleanup in fatal signal handler
    • Fix case where fast-forwarding may cause intervals to be skipped
    • Fix comma separated custom log paths with fluent
    • Fix to prevent events folder growing too large and filling the disk
    • Hotfix (1.26.3) for Syslog
    1.16.0.0 1.26.2-1.26.5Hotfix
    Apr 2023 Windows
    • AMA: Enable Large Event support based on Region
    • AMA: Upgrade to Fluent Bit version 2.0.9
    • Update Troubleshooter to 1.3.1
    • Update ME version to 2.2023.331.1521
    • Updating package version for AzSecPack 4.26 release
    1.15.0 None
    Mar 2023 Windows
    • Text file collection improvements to handle high rate logging and continuous tailing of longer lines
    • VM Insights fixes for collecting metrics from non-English OS
    1.14.0.0 None
    Feb 2023
    • Linux (hotfix) Resolved potential data loss due to "Bad file descriptor" errors seen in the mdsd error log with previous version. Upgrade to hotfix version
    • Windows Reliability improvements in Fluent Bit buffering to handle larger text files
    1.13.1 1.25.2Hotfix
    Jan 2023 Linux
    • RHEL 9 and Amazon Linux 2 support
    • Update to OpenSSL 1.1.1s and require TLS 1.2 or higher
    • Performance improvements
    • Improvements in Garbage Collection for persisted disk cache and handling corrupted cache files better
    • Fixes
      • Set agent service memory limit for CentOS/RedHat 7 distros. Resolved MemoryMax parsing error
      • Fixed modifying rsyslog system-wide log format caused by installer on RedHat/CentOS 7.3
      • Fixed permissions to config directory
      • Installation reliability improvements
      • Fixed permissions on default file so rpm verification doesn't fail
      • Added traceFlags setting to enable trace logs for agent
    Windows
    • Fixed issue related to incorrect EventLevel and Task values for Log Analytics Event table, to match Windows Event Viewer values
    • Added missing columns for IIS logs - TimeGenerated, Time, Date, Computer, SourceSystem, AMA, W3SVC, SiteName
    • Reliability improvements for metrics collection
    • Fixed machine restart issues on for Arc-enabled servers related to repeated calls to HIMDS service
    1.12.0 1.25.1
    Nov-Dec 2022 1.11.0 None
    Oct 2022 Windows
    • Increased reliability of data uploads
    • Data quality improvements
    Linux
    • Support for http_proxy and https_proxy environment variables for network proxy configurations for the agent
    • Text logs
      • Network proxy support enabled
      • Fixed missing _ResourceId
      • Increased maximum line size support to 1 MB
    • Support ingestion of syslog events whose timestamp is in the future
    • Performance improvements
    • Fixed diskio metrics instance name dimension to use the disk mount paths instead of the device names
    • Fixed world writable file issue to lock down write access to certain agent logs and configuration files stored locally on the machine
    1.10.0.0 1.24.2
    Sep 2022 Reliability improvements 1.9.0 None
    August 2022 Common updates
    • Improved resiliency: Default lookback (retry) time updated to last three days (72 hours) up from 60 minutes, for agent to collect data post interruption. Look back time is subject to default offline cache size of 10 Gb
    • Fixes the preview custom text log feature that was incorrectly removing the TimeGenerated field from the raw data of each event. All events are now additionally stamped with agent (local) upload time
    • Reliability and supportability improvements
    Windows
    • Fixed datetime format to UTC
    • Fix to use default location for firewall log collection, if not provided
    • Reliability and supportability improvements
    Linux
    • Support for OpenSuse 15, Debian 11 Arm64
    • Support for coexistence of Azure Monitor agent with legacy Azure Diagnostic extension for Linux (LAD)
    • Increased max-size of User Datagram Protocol (UDP) payload for Telegraf output to prevent dimension truncation
    • Prevent unconfigured upload to Azure Monitor Metrics destination
    • Fix for disk metrics wherein instance name dimension uses the disk mount paths instead of the device names, to provide parity with legacy agent
    • Fixed disk free MB metric to report megabytes instead of bytes
    1.8.0 1.22.2
    July 2022 Fix for mismatch event timestamps for Sentinel Windows Event Forwarding 1.7.0 None
    June 2022 Bug fixes with user assigned identity support, and reliability improvements 1.6.0 None
    May 2022
    • Fixed issue where agent stops functioning due to faulty XPath query. With this version, only query related Windows events fail, other data types continue to be collected
    • Collection of Windows network troubleshooting logs added to 'CollectAMAlogs.ps1' tool
    • Linux support for Debian 11 distro
    • Fixed issue to list mount paths instead of device names for Linux disk metrics
    1.5.0.0 1.21.0
    April 2022
    • Private IP information added in Log Analytics Heartbeat table for Windows and Linux
    • Fixed bugs in Windows IIS log collection (preview)
      • Updated IIS site column name to match backend Kusto Query Language (KQL) transform
      • Added delay to IIS upload task to account for IIS buffering
    • Fixed Linux CEF syslog forwarding for Sentinel
    • Removed 'error' message for Azure MSI token retrieval failure on Arc to show as 'Info' instead
    • Support added for Ubuntu 22.04, RHEL 8.5, 8.6, AlmaLinux and RockyLinux distros
    1.4.1Hotfix 1.19.3
    March 2022
    • Fixed timestamp and XML format bugs in Windows Event logs
    • Full Windows OS information in Log Analytics Heartbeat table
    • Fixed Linux performance counters to collect instance values instead of 'total' only
    1.3.0 1.17.5.0
    February 2022
    • Bug fixes for the AMA Client installer
    • Versioning fix to reflect appropriate Windows major/minor/hotfix versions
    • Internal test improvement on Linux
    1.2.0 1.15.3
    January 2022
    • Syslog RFC compliance for Linux
    • Fixed issue for Linux perf counters not flowing on restart
    • Fixed installation failure on Windows Server 2008 R2 SP1
    1.1.5.1Hotfix 1.15.2.0Hotfix
    December 2021
    • Fixed issues impacting Linux Arc-enabled servers
    • 'Heartbeat' table > 'Category' column reports "Azure Monitor Agent" in Log Analytics for Windows
    1.1.4 1.14.7.02
    September 2021
    • Fixed issue causing data loss on restarting the agent
    • Fixed issue for Arc Windows servers
    1.1.3.2Hotfix 1.12.2.0 1
    August 2021 Fixed issue allowing Azure Monitor Metrics as the only destination 1.1.2.0 1.10.9.0Hotfix
    July 2021
    • Support for direct proxies
    • Support for Log Analytics gateway
    Learn more
    1.1.1 1.10.5.0
    June 2021 General availability announced.
    • All features except metrics destination now generally available
    • Production quality, security, and compliance
    • Availability in all public regions
    • Performance and scale improvements for higher EPS
    Learn more
    1.0.12 1.9.1.0

    Hotfix Don't use AMA Linux versions v1.10.7, v1.15.1, v1.25.2 and AMA Windows v1.1.3.1, v1.1.5.0. Use the hotfix versions.
    1 Known issue: No data collected from Linux Arc-enabled servers.
    2 Known issue: Linux performance counters data stops flowing on restarting or rebooting the machines.

    Next steps