Azure Sentinel Agents

Azure comes with a few different Azure Sentinel agents for data ingestion to Azure log analytics. The agents are built for Windows and Linux OS devices and can be installed in any cloud and on-premise environment.

Microsoft Monitoring Agent (MMA)

The MMA (also known as log analytics agent) is an agent installed on Windows OS devices that can pull windows event logs and performance counters from the local device. This agent is an older agent and soon to be replaced by the Azure Monitoring Agent (AMA) due to limitations such as the inability to specify event IDs. More details of this agent can be found here.

Configure Logging

The MMA agent configuration for managing what events are pulled to the log analytics workspace is managed in Azure Sentinel under the ‘Security Event’ data connector. This configuration applies to all machines with the MMA agent deployed and comes in 3 logging levels with pre-defined Event ID’s that cannot be modified. For more details on what event ID’s are pulled please see here.​​​​​​​

OMS Agent

The OMS agent (also known as log analytics agent) is an agent installed on Linux OS device that can pull syslog and CEF formatted logs from the local device. This agent can be used to forward events from syslog based devices to log analytics such as; firewalls, anti-virus, DHCP service etc. Details of the agent can be found here.

Configure Logging

The OMS configuration for events pulled into log analytics is managed by the agent configuration in the log analytics workspace as shown below. From the configuration page you are able to specify the exact facility and logging level required to be pushed to log analytics from all deployed OMS agents. This however is not the only method, if you are looking to ingest CEF formatted logs then the auto sync should be disabled on the agent to log analytics. Therefore this means that any configuration can be applied on a per OMS agent basis which is critical for creating a separate rSyslog filter to push events to a specific port and IP on the local machine where events will be picked up by the agent so it is aware the logs are CEF formatted and therefore should be processed differently.

Azure Monitoring Agent (AMA)

The AMA is a newer agent which aims to replace the older OMS and MMA agents in order to improve on the drawbacks. One aspect of improvement is the ability to specify exactly what is pulled from the machines, particularly for filtering event ID’s on Windows OS devices. This agent also allows the ability to have separate configuration per device or group of devices. For on-premise devices the Azure ARC agent needs to be installed prior to the Azure monitoring agent being deployed. For further details about this agent, please see here.

Configure Logging

The configuration for the AMA is managed in Azure monitor under ‘data collection rules’. The data collection rules are setup to resources, aka machines enrolled with the Azure ARC agent or an Azure VM. Once the resource has been configured the configuration for what exactly is pulled is configured under ‘data sources’. The data collection rules can be fully managed and deployed using ARM templates.

Azure monitor data collection rule to support Azure Sentinel agent AMA.