Log Analytics virtual machine extension for Linux
Overview
Azure Monitor Logs provides monitoring, alerting, and alert remediation capabilities across cloud and on-premises assets. The Log Analytics virtual machine extension for Linux is published and supported by Azure. The extension installs the Log Analytics agent on Azure virtual machines, and enrolls virtual machines into an existing Log Analytics workspace. This document details the supported platforms, configurations, and deployment options for the Log Analytics virtual machine extension for Linux.
Note
Azure Arc-enabled servers enables you to deploy, remove, and update the Log Analytics agent VM extension to non-Azure Windows and Linux machines, simplifying the management of your hybrid machine through their lifecycle. For more information, see VM extension management with Azure Arc-enabled servers.
Prerequisites
Operating system
For details about the supported Linux distributions, refer to the Overview of Azure Monitor agents article.
Agent and VM Extension version
The following table provides a mapping of the version of the Log Analytics VM extension and Log Analytics agent bundle for each release. A link to the release notes for the Log Analytics agent bundle version is included. Release notes include details on bug fixes and new features available for a given agent release.
Log Analytics Linux VM extension version | Log Analytics Agent bundle version |
---|---|
1.19.0 | 1.19.0 |
1.18.1 | 1.18.1 |
1.17.2 | 1.17.2 |
1.17.1 | 1.17.1 |
1.16.0 | 1.16.0 |
1.14.23 | 1.14.23 |
1.14.20 | 1.14.20 |
1.14.19 | 1.14.19 |
1.14.16 | 1.14.16 |
1.14.13 | 1.14.13 |
1.14.11 | 1.14.11 |
1.14.9 | 1.14.9 |
1.13.40 | 1.13.40 |
1.13.35 | 1.13.35 |
1.13.33 | 1.13.33 |
1.13.27 | 1.13.27 |
1.13.15 | 1.13.9-0 |
1.12.25 | 1.12.15-0 |
1.11.15 | 1.11.0-9 |
1.10.0 | 1.10.0-1 |
1.9.1 | 1.9.0-0 |
1.8.11 | 1.8.1-256 |
1.8.0 | 1.8.0-256 |
1.7.9 | 1.6.1-3 |
1.6.42.0 | 1.6.0-42 |
1.4.60.2 | 1.4.4-210 |
1.4.59.1 | 1.4.3-174 |
1.4.58.7 | 14.2-125 |
1.4.56.5 | 1.4.2-124 |
1.4.55.4 | 1.4.1-123 |
1.4.45.3 | 1.4.1-45 |
1.4.45.2 | 1.4.0-45 |
1.3.127.5 | 1.3.5-127 |
1.3.127.7 | 1.3.5-127 |
1.3.18.7 | 1.3.4-15 |
Microsoft Defender for Cloud
Microsoft Defender for Cloud automatically provisions the Log Analytics agent and connects it to a default Log Analytics workspace created by Defender for Cloud in your Azure subscription. If you are using Microsoft Defender for Cloud, do not run through the steps in this document. Doing so overwrites the configured workspace and breaks the connection with Microsoft Defender for Cloud.
Internet connectivity
The Log Analytics agent extension for Linux requires that the target virtual machine is connected to the internet.
Extension schema
The following JSON shows the schema for the Log Analytics agent extension. The extension requires the workspace ID and workspace key from the target Log Analytics workspace; these values can be found in your Log Analytics workspace in the Azure portal. Because the workspace key should be treated as sensitive data, it should be stored in a protected setting configuration. Azure VM extension protected setting data is encrypted, and only decrypted on the target virtual machine. Note that workspaceId and workspaceKey are case-sensitive.
Note
Because the Container Monitoring solution is being retired, the following documentation uses the optional setting "skipDockerProviderInstall": true.
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "OMSExtension",
"apiVersion": "2018-06-01",
"location": "<location>",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', <vm-name>)]"
],
"properties": {
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "OmsAgentForLinux",
"typeHandlerVersion": "1.16",
"autoUpgradeMinorVersion": true,
"settings": {
"workspaceId": "myWorkspaceId",
"skipDockerProviderInstall": true
},
"protectedSettings": {
"workspaceKey": "myWorkSpaceKey"
}
}
}
Note
The schema above assumes that it will be placed at the root level of the template. If you put it inside the virtual machine resource in the template, the type
and name
properties should be changed, as described further down.
Property values
Name | Value / Example |
---|---|
apiVersion | 2018-06-01 |
publisher | Microsoft.EnterpriseCloud.Monitoring |
type | OmsAgentForLinux |
typeHandlerVersion | 1.16 |
workspaceId (e.g) | 6f680a37-00c6-41c7-a93f-1437e3462574 |
workspaceKey (e.g) | z4bU3p1/GrnWpQkky4gdabWXAhbWSTz70hm4m2Xt92XI+rSRgE8qVvRhsGo9TXffbrTahyrwv35W0pOqQAU7uQ== |
Template deployment
Note
Certain components of the Log Analytics VM extension are also shipped in the Diagnostics VM extension. Due to this architecture, conflicts can arise if both extensions are instantiated in the same ARM template. To avoid these install-time conflicts, use the dependsOn
directive to ensure the extensions are installed sequentially. The extensions can be installed in either order.
Azure VM extensions can be deployed with Azure Resource Manager templates. Templates are ideal when deploying one or more virtual machines that require post deployment configuration such as onboarding to Azure Monitor Logs. A sample Resource Manager template that includes the Log Analytics agent VM extension can be found on the Azure Quickstart Gallery.
The JSON configuration for a virtual machine extension can be nested inside the virtual machine resource, or placed at the root or top level of a Resource Manager JSON template. The placement of the JSON configuration affects the value of the resource name and type. For more information, see Set name and type for child resources.
The following example assumes the VM extension is nested inside the virtual machine resource. When nesting the extension resource, the JSON is placed in the "resources": []
object of the virtual machine.
{
"type": "extensions",
"name": "OMSExtension",
"apiVersion": "2018-06-01",
"location": "<location>",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', <vm-name>)]"
],
"properties": {
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "OmsAgentForLinux",
"typeHandlerVersion": "1.16",
"settings": {
"workspaceId": "myWorkspaceId",
"skipDockerProviderInstall": true
},
"protectedSettings": {
"workspaceKey": "myWorkSpaceKey"
}
}
}
When placing the extension JSON at the root of the template, the resource name includes a reference to the parent virtual machine, and the type reflects the nested configuration.
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "<parentVmResource>/OMSExtension",
"apiVersion": "2018-06-01",
"location": "<location>",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', <vm-name>)]"
],
"properties": {
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "OmsAgentForLinux",
"typeHandlerVersion": "1.16",
"settings": {
"workspaceId": "myWorkspaceId",
"skipDockerProviderInstall": true
},
"protectedSettings": {
"workspaceKey": "myWorkSpaceKey"
}
}
}
Azure CLI deployment
The Azure CLI can be used to deploy the Log Analytics agent VM extension to an existing virtual machine. Replace the myWorkspaceKey value below with your workspace key and the myWorkspaceId value with your workspace ID. These values can be found in your Log Analytics workspace in the Azure portal under Advanced Settings. Replace the latestVersion value with a version from Log Analytics Linux VM extension version.
az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM \
--name OmsAgentForLinux \
--publisher Microsoft.EnterpriseCloud.Monitoring \
--protected-settings '{"workspaceKey":"myWorkspaceKey"}' \
--settings '{"workspaceId":"myWorkspaceId","skipDockerProviderInstall": true}' \
--version latestVersion
Azure PowerShell deployment
The Azure Powershell cmdlets can be used to deploy the Log Analytics agent VM extension to an existing virtual machine. Replace the myWorkspaceKey value below with your workspace key and the myWorkspaceId value with your workspace ID. These values can be found in your Log Analytics workspace in the Azure portal under Advanced Settings. Replace the latestVersion value with a version from Log Analytics Linux VM extension version.
Set-AzVMExtension \
-ResourceGroupName myResourceGroup \
-VMName myVM \
-ExtensionName OmsAgentForLinux \
-ExtensionType OmsAgentForLinux \
-Publisher Microsoft.EnterpriseCloud.Monitoring \
-TypeHandlerVersion latestVersion \
-ProtectedSettingString '{"workspaceKey":"myWorkspaceKey"}' \
-SettingString '{"workspaceId":"myWorkspaceId","skipDockerProviderInstall": true}'
Troubleshoot and support
Troubleshoot
Data about the state of extension deployments can be retrieved from the Azure portal, and by using the Azure CLI or Azure Powershell. To see the deployment state of extensions for a given VM, run the following command if you are using the Azure CLI.
az vm extension list --resource-group myResourceGroup --vm-name myVM -o table
Extension execution output is logged to the following file:
/var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux/extension.log
To retrieve the OMS extension version installed on a VM, run the following command if you are using Azure CLI.
az vm extension show --resource-group myResourceGroup --vm-name myVM --instance-view
To retrieve the OMS extension version installed on a VM, run the following command if you are using Azure PowerShell.
Get-AzVMExtension -ResourceGroupName my_resource_group -VMName my_vm_name -Name OmsAgentForLinux -Status
Error codes and their meanings
Error Code | Meaning | Possible Action |
---|---|---|
9 | Enable called prematurely | Update the Azure Linux Agent to the latest available version. |
10 | VM is already connected to a Log Analytics workspace | To connect the VM to the workspace specified in the extension schema, set stopOnMultipleConnections to false in public settings or remove this property. This VM gets billed once for each workspace it is connected to. |
11 | Invalid config provided to the extension | Follow the preceding examples to set all property values necessary for deployment. |
17 | Log Analytics package installation failure | |
18 | Installation of OMSConfig package failed. | Look through the command output for the root failure. |
19 | OMI package installation failure | |
20 | SCX package installation failure | |
33 | Error generating metaconfiguration for omsconfig. | File a GitHub Issue with details from the output. |
51 | This extension is not supported on the VM's operation system | |
52 | This extension failed due to a missing dependency or permission | Check the output and logs for more information about which dependency or permission is missing. |
53 | This extension failed due to missing or wrong configuration parameters | Check the output and logs for more information about what went wrong. Additionally, check the correctness of the workspace ID, and verify that the machine is connected to the internet. |
55 | Cannot connect to the Azure Monitor service or required packages missing or dpkg package manager is locked | Check that the system either has internet access, or that a valid HTTP proxy has been provided. Additionally, check the correctness of the workspace ID, and verify that curl and tar utilities are installed. |
Additional troubleshooting information can be found on the Log Analytics-Agent-for-Linux Troubleshooting Guide.
Support
If you need more help at any point in this article, you can contact the Azure experts on the Azure support. Alternatively, you can file an Azure support incident. Go to the Azure support site and submit your request. For information about using Azure Support, read the 21Vianet Azure support FAQ.