linux
Could we see more documenation around the Linux OMS log forwarding function, and how to troubleshoot when things start to go wrong. I think this would be an excellent resource.
I've been working with OMS, using a linux (CentOS7) based agent to forward syslogs events to my OMS linux agent, and having that host route the relevant log events into OMS.
Having had some experience with logstash, I spotted that the architecture was based around fluentd, so I had a good grasp of what I was working with. I also have a decent level of unix experience.
With that said it's proven to be quite challenging to move from the very basic setup of syslog forwarding, to taking multiple syslog sources (linux, vmware hosts.. even cisco syslog events) and have that event data structured for use in OMS - which really is the biggest challenge of all.
I have tested scenarios - where differing sources send the same 'local.info' events to the linux agent (each source has a differing formatting in the syslog event).. of course the syslog event is forwarded into OMS, but the complexity comes in trying to tweak the CustomFields to handle the differing event types (despite having the same 'facility' classification).
Whilst premier will support OMS, I have found that it's challenging to get access to someone with good detailled linux knowlege (this will change in time, I'm sure).
If MS can tackle this area, then IT departments will be in a position to see the real power of the OMS analytics. I think it'll win a lot of business from other vendors such as splunk.

We are continuing to invest in additional documentation that streamline forwarding and consuming syslog events
1 comment
-
Marcus Clayton commented
Any update on this request? Documentation, or a guide on deploying and managing a medium/large scale syslog collection farm using the OMS agent on one or more linux hosts (2-3 nodes) as the collection points would be helpful. There seem to be a number of approaches using the fluentd configs, but a "best practice" or reference architecture would be great. This would help speed up the adoption of Log Analytics for all non-windows endpoints.