Azure Monitor Agent
Overview
For SFTP Gateway v.3.3.3 and later, we are using Ubuntu 22 (instead of Ubuntu 20). The OMS agent, which is used to send custom logs to Azure Monitor, is no longer compatible. This is because Ubuntu 22 doesn't allow OpenSSLv1 (a dependency of the OMS agent) for security reasons.
This article shows you how to install the newer Azure Monitor Agent (AMA) for sending custom logs to your Azure Monitor Log Analytics Workspace (LAW).
The high level steps are as follows:
- Create a Log Analytics Workspace
- Within the Log Analytics Workspace, create a Custom Log table
- Create a Data Collection Endpoint (DCE), a dependency you'll need later
- Create a Data Collection Rule (DCR). This will automatically create a couple of dependencies for you:
- Installs the Azure Monitor Agent (AMA) on the VM
- Enables the System Managed Identity on the VM
 
- Grant the System Managed Identity permissions to the Log Analytics Workspace
There are a lot of elements that need to wire together properly in order for this to work. And certain elements need to be created in a specific order.
Create a Log Analytics Workspace
Azure Monitor is a service for aggregating logs and metrics. This information is organized into Log Analytics Workspaces.
- In the Azure Portal, go to the Log Analytics Workspace service 
- Click Create 
- Choose your Subscription 
- Create a new Resource Group 
- Give the Log Analytics Workspace a Name 
- Choose your Region. Keeping all your resources in the same Region will make troubleshooting easier.  
- Click Review + Create 
Create a Custom Log Table
The SFTP Gateway logs do not match a standard schema. So, you will need to create a new Table in the Log Analytics Workspace to store them.
SFTP Gateway has two main logs:
- Application Log: Events for troubleshooting the Java application
- SFTP Audit Log: SFTP actions and authentication attempts
In this section, you will first configure one log type. Then, you will repeat the process for the other log type.
- Open the Log Analytics Workspace you created in the previous section 
- Under Settings, go to Tables 
- On the Tables tab, click Create and New custom log (MMA-based)  
- This will open the Create a custom log wizard 
- Download this example application log file 
- On the Sample tab, click the Select a file button to upload the example application log file. 
- Click Next 
- On the Record delimiter tab, make sure it's set to New line.  
- Click Next 
- On the Collection paths tab, use the following settings: - Type: Linux
- Path: /opt/sftpgw/log/application-*.log
  
- Click Next 
- On the Details tab, set the Custom log name to - ApplicationLog 
- Click Next 
- On the Review + Create tab, click Create 
Repeat the process for the SFTP Audit Log:
- Custom log name: SFTPAuditLog
- Sample log file: sftp-audit log file
- Collection path: /opt/sftpgw/log/sftp-audit-*.log
Create a Data Collection Endpoint (DCE)
A Data Collection Endpoint is a dependency that you will need to support Custom Text Logs. Without it, you are limited to collecting Linux Syslogs.
- In the Azure Portal, go to the Azure Monitor service 
- Under Settings, click Data Collection Endpoints 
- Click + Create  
- For Endpoint Name, use - azure-monitor-agent-endpoint
- For the Resource Group, use the same one as your VM 
- Region Use the same one as your VM  
- Click Review + create 
- Click Create 
Create a Data Collection Rule (DCR)
The Data Collection Rule (DCR) kind of does everything. It wires the VM to the Log Analytics Workspace, and defines what kind of logs are collected.
The DCR also creates a couple of dependencies for you automatically:
- Installs the Azure Monitor Agent (AMA) on the VM
- Enables the System Managed Identity on the VM
To create a DCR:
- In the Azure Portal, go to the Azure Monitor service 
- Under Settings, click Data Collection Rules 
- Click + Create  
- On the Basics tab, configure the following: - Rule Name: Use ApplicationLogDCR
- Resource Group: Use the same one as your Log Analytics Workspace
- Region: Important: make sure this matches your VM's region
- Platform Type: Use Linux
- Data collection endpoint: Set it to azure-monitor-agent-endpoint, which you just created
  
- Rule Name: Use 
- Click Next: Resources 
- On the Resources tab, do the following: - Click + Add resources
- Check the box next to your VM, and click Apply
- Click the checkbox for Enable Data Collection Endpoints
- In the table column for Data collection endpoint, choose azure-monitor-agent-endpointin the drop-down menu
  
- Click Next: Collect and deliver 
- On the Collect and deliver tab, do the following: - Click + Add data source
- For Data source type, choose Custom Text Logs from the drop-down menu. Note: you need to set the DCE on the Basics tab for this option to be available
 - This opens an Add data source modal window. 
- On the Data source tab, set the following options: - Data source type: Custom Text Logs
- File pattern: /opt/sftpgw/log/application-*.log
- Table name: ApplicationLog_CL
- Transform: source
  
- Data source type: 
- At the bottom of the screen, click Add data source 
- Click Review + create 
- Click Create 
Repeat this process to create a DCR for the SFTP Audit logs.
Verify the Azure Monitor Agent installation
While you were creating the DCR, Azure automatically installs the Azure Monitor Agent (AMA) on the VM. To verify this, do the following:
- Go to the VM detail page in the Azure Portal 
- Under Settings, go to Extensions + applications 
- You should see the - AzureMonitorLinuxAgentwith a status of- Provisioning succeeded 
Grant the VM permissions to send logs
In this section, you will configure the VM permissions for writing logs.
- Go to the VM detail page in the Azure Portal 
- Under Settings, go to Identity 
- Check the Status. It should be On (the default is Off).  
- Under Permissions, click Azure role assignments 
- Click +Add role assignment 
- Under Scope, select Resource group 
- For Resource group, choose the one containing the Log Analytics Workspace 
- For Role, select Contributor  
- Toward the bottom, click Save 
Check for incoming logs
At this point, everything should be wired properly. In this section, you are going to check the Log Analytics Workspace for any incoming logs.
- In the Azure Portal, search for Log Analytics workspaces 
- Select the Log Analytics Workspace you created earlier 
- In the left menu, under General, click Logs 
- If you see a Queries modal, click the X on the top right to close it 
- Type the following query: 
ApplicationLog_CL
| project RawData
You should see rows of results in table below.

Troubleshooting
There are a lot of moving pieces, and there are many things that can go wrong. This section has some troubleshooting steps you can try.
No logs are showing up in the Log Analytics workspace query
- Try waiting an hour to give the incoming logs from the VM a chance to arrive
- Try generating log activity on the VM. For example, restart the Java service: service sftpgw-admin-api restart
- Make sure the Time range covers the log entries on the VM (i.e. try selecting Last 7 days)
- Run the query Heartbeat. This will show the latest heartbeat from the VM.

The Azure Monitor Agent extension is not installing
Try manually installing the AMA software:
az vm extension set --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --ids /subscriptions/abc-123/resourceGroups/rob-vm/providers/Microsoft.Compute/virtualMachines/rob-vm  --enable-auto-upgrade true
You will need to supply the VM's Resource ID for the --ids parameter.
To get the VM's Resource ID:
- Go to the VM's detail page 
- Under Settings, click Properties 
- Scroll down, and look for Resource ID 
The option for Custom Text Logs does not show up on the DCR
The Custom Text Logs option only shows up if you have a DCE set on the Basics tab. Try creating the DCE first.
Note: The Custom radio button (next to Windows and Linux) does not give you custom text logs. Rather, this setting means "both" Windows and Linux.
