verify_ama_agent_service_is_running command to run: sudo systemctl status azuremonitoragent command output: ● azuremonitoragent.service - Azure Monitor Agent daemon (on systemd) Loaded: loaded (/etc/systemd/system/azuremonitoragent.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-11-30 00:54:39 UTC; 5h 51min ago Docs: man:azuremonitoragent(8) Main PID: 933 (mdsd) Tasks: 81 (limit: 4020) Memory: 86.6M (max: 10.0G) CGroup: /system.slice/azuremonitoragent.service └─933 /opt/microsoft/azuremonitoragent/bin/mdsd -A -c /etc/opt/microsoft/azuremonitoragent/mdsd.xml -r /run/azuremonitoragent/default -S /var/opt/microsoft/azuremonitoragent/eh -L /var/opt/microsoft/azuremonitoragent/events Nov 30 00:54:36 cef-forwader systemd[1]: Starting Azure Monitor Agent daemon (on systemd)... Nov 30 00:54:36 cef-forwader azuremonitoragent[680]: * Starting Azure Monitor Agent Daemon: Nov 30 00:54:39 cef-forwader azuremonitoragent[680]: ...done. Nov 30 00:54:39 cef-forwader systemd[1]: Started Azure Monitor Agent daemon (on systemd). command error output: None command array verification: ['azuremonitoragent.service', 'Azure', 'Monitor', 'Agent', 'active', 'running'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_oms_agent_not_running command to run: sudo netstat -lnpvt | grep ruby command output: command error output: None command array verification: ['25226', 'LISTEN', 'tcp'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_DCR_exists command to run: sudo ls -l /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/ command output: total 4 -rw-r----- 1 syslog syslog 968 Nov 29 07:31 18022982262112524183.json command error output: None command array verification: ['.json'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_DCR_content_has_stream command to run: sudo grep -ri "SECURITY_CEF_BLOB" /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/ command output: /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/18022982262112524183.json:{"dataSources":[{"configuration":{"facilityNames":["syslog","user"],"logLevels":["Debug","Info","Notice","Warning","Error","Critical","Alert","Emergency"]},"id":"sysLogsDataSource-1249808082","kind":"syslog","streams":[{"stream":"SECURITY_CEF_BLOB","solution":"SecurityInsights"}],"sendToChannels":["ods-8ecdaeba-5667-4041-88d4-b0b899010bae"]}],"channels":[{"endpoint":"https://8ecdaeba-5667-4041-88d4-b0b899010bae.ods.opinsights.azure.com","tokenEndpointUri":"https://sentinel-cef-test-aler.koreacentral-1.handler.control.monitor.azure.com/subscriptions/7cf22deb-0e8f-4b8a-b67c-b0fd50587957/resourceGroups/Sentinel-Test-Suji/providers/Microsoft.Compute/virtualMachines/cef-forwader/agentConfigurations/dcr-29c5e6aa51f0457ca290e3322ade0d0b/channels/ods-8ecdaeba-5667-4041-88d4-b0b899010bae/issueIngestionToken?operatingLocation=KoreaCentral&platform=linux&includeMeConfig=true&api-version=2022-06-02","id":"ods-8ecdaeba-5667-4041-88d4-b0b899010bae","protocol":"ods"}]} command error output: None command array verification: ['SECURITY_CEF_BLOB'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_dcr_has_valid_content command to run: sudo grep -ri "SECURITY_CEF_BLOB" /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/ command output: ['/etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/18022982262112524183.json:{"dataSources":[{"configuration":{"facilityNames":["syslog","user"],"logLevels":["Debug","Info","Notice","Warning","Error","Critical","Alert","Emergency"]},"id":"sysLogsDataSource-1249808082","kind":"syslog","streams":[{"stream":"SECURITY_CEF_BLOB","solution":"SecurityInsights"}],"sendToChannels":["ods-8ecdaeba-5667-4041-88d4-b0b899010bae"]}],"channels":[{"endpoint":"https://8ecdaeba-5667-4041-88d4-b0b899010bae.ods.opinsights.azure.com","tokenEndpointUri":"https://sentinel-cef-test-aler.koreacentral-1.handler.control.monitor.azure.com/subscriptions/7cf22deb-0e8f-4b8a-b67c-b0fd50587957/resourceGroups/Sentinel-Test-Suji/providers/Microsoft.Compute/virtualMachines/cef-forwader/agentConfigurations/dcr-29c5e6aa51f0457ca290e3322ade0d0b/channels/ods-8ecdaeba-5667-4041-88d4-b0b899010bae/issueIngestionToken?operatingLocation=KoreaCentral&platform=linux&includeMeConfig=true&api-version=2022-06-02","id":"ods-8ecdaeba-5667-4041-88d4-b0b899010bae","protocol":"ods"}]}'] command error output: None command array verification: ['stream', 'kind', 'syslog', 'dataSources', 'configuration', 'facilityNames', 'logLevels', 'SecurityInsights', 'endpoint', 'channels', 'sendToChannels', 'ods-', 'opinsights.azure', 'id'] fault key word: None -------------------- Is successful: True -------------------- -------------------- check_multi_homing command to run: sudo grep -ri "SECURITY_CEF_BLOB" /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/ | wc -l command output: 1 command error output: None command array verification: [] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_Syslog_daemon_listening command to run: sudo netstat -lnpv | grep rsyslog command output: netstat: no support for `AF INET (sctp)' on this system. netstat: no support for `AF INET (sctp)' on this system. netstat: no support for `AF IPX' on this system. netstat: no support for `AF AX25' on this system. netstat: no support for `AF X25' on this system. netstat: no support for `AF NETROM' on this system. netstat: no support for `AF ROSE' on this system. tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 23396/rsyslogd tcp6 0 0 :::514 :::* LISTEN 23396/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 23396/rsyslogd udp6 0 0 :::514 :::* 23396/rsyslogd command error output: None command array verification: ['rsyslog', ':514 '] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_Syslog_daemon_forwarding_configuration command to run: sudo cat /etc/rsyslog.d/10-azuremonitoragent-omfwd.conf command output: # Azure Monitor Agent configuration: forward logs to azuremonitoragent template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" string="<%%%%PRI%%%%>%%%%TIMESTAMP%%%% %%%%HOSTNAME%%%% %%%%syslogtag%%%%%%%%msg:::sp-if-no-1st-sp%%%%%%%%msg%%%%") # queue.workerThreads sets the maximum worker threads, it will scale back to 0 if there is no activity # Forwarding all events through TCP port *.* action(type="omfwd" template="AMA_RSYSLOG_TraditionalForwardFormat" queue.type="LinkedList" queue.filename="omfwd-azuremonitoragent" queue.maxFileSize="32m" action.resumeRetryCount="-1" action.resumeInterval="5" action.reportSuspension="on" action.reportSuspensionContinuation="on" queue.size="25000" queue.workerThreads="100" queue.dequeueBatchSize="2048" queue.saveonshutdown="on" target="127.0.0.1" Port="28330" Protocol="tcp") command error output: None command array verification: ['omfwd', 'azuremonitoragent', 'LinkedList', 'tcp'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_iptables_policy_permissive command to run: sudo iptables -S | grep \\-P | grep -E 'INPUT|OUTPUT' command output: -P INPUT ACCEPT -P OUTPUT ACCEPT command error output: None command array verification: ['DROP', 'REJECT'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_iptables_rules_permissive_514 command to run: sudo iptables -S | grep -E '514' | grep INPUT command output: command error output: None command array verification: ['DROP', 'REJECT'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_iptables_rules_permissive_28330 command to run: sudo iptables -S | grep -E '28330' | grep INPUT command output: command error output: None command array verification: ['DROP', 'REJECT'] fault key word: None -------------------- Is successful: True -------------------- -------------------- verify_free_disk_space command to run: sudo df --output=avail / | head -2 | tail -1 command output: 25585952 command error output: None command array verification: [] fault key word: None -------------------- Is successful: True -------------------- -------------------- listen_to_incoming_events command to run: sudo tcpdump -A -l -ni any port 514 -vv command output: Msg: Nov 30 06:45:43 log CEF: 0|DeviceVendorName-Test|DeviceProduct-Test|common=event-format-test|end|TRAFFIC|1|rt==event-formatted-receive_time command error output: None command array verification: ['CEF'] fault key word: None -------------------- Is successful: True --------------------