RedHat Linux - AMA agent Rsyslog issue

Question

RedHat Linux - AMA agent Rsyslog issue

George OCAK 70

Hi All,

We have the AMA agent installed on our host and confirmed that CEF events are being received. However, they are not being forwarded to port 28330 as expected. The firewall is disabled, SELinux is disabled, and the JSON configuration files for the DCR, rsyslog.conf, and the AMA agent config all exist and appear correct.

The Microsoft Sentinel troubleshooting script flagged only one issue: the root directory disk has less than 1GB of space remaining.

This disk is mounted to the host, but it is not partitioned or explicitly assigned to / or /var/log.

Could the insufficient disk space or the way the disk is mounted/partitioned be preventing log forwarding to port 28330, even though logs are being received?

If not, what else might block the AMA agent from forwarding CEF logs?

Note that port is open and host listen the port 28330 but not all the times i have seen the error message below.

rsyslogd[61418]: cannot connect to 127.0.0.1:28330: Connection refused [v8.2102.0-15.el8_10.1 try https://www.rsyslog.com/e/2027 ]

But when i restart the rsyslog error was gone.

Thanks

George OCAK 70 Reputation points

2025-05-09T18:51:15.5433333+00:00

Thank you for your recommendation.

The disk volume issue has been resolved, but we're still experiencing problems.
Vinod Pittala 1,830 Reputation points Microsoft External Staff Moderator

2025-05-09T21:20:19.2233333+00:00

Hello George OCAK,

Could you please confirm the remaining configurations for the DCR and Rsyslog file? Additionally, it would be greatly appreciated if you could check for any network issues as well.

Thank you
George OCAK 70 Reputation points

2025-05-09T23:38:17.4566667+00:00

The issue has been resolved. The root cause was identified as nftables blocking localhost traffic. Disabling nftables restored expected functionality. Thank you for your assistance.
Vinod Pittala 1,830 Reputation points Microsoft External Staff Moderator

2025-05-09T23:45:49.8533333+00:00

Hello George OCAK,

Thank you for your confirmation. I'm glad to hear that the provided solution has been helpful for you.

Additionally, I have converted my comment to an answer. Since the information has been beneficial to you, it would be greatly appreciated if you could take a moment to Accept the answer & Upvote it for the benefit of other community members.

Thank you once again for your cooperation.

1 answer

Your answer

George OCAK 70 Reputation points

2025-05-09T18:51:15.5433333+00:00

Thank you for your recommendation.

The disk volume issue has been resolved, but we're still experiencing problems.
Vinod Pittala 1,830 Reputation points Microsoft External Staff Moderator

2025-05-09T21:20:19.2233333+00:00

Hello George OCAK,

Could you please confirm the remaining configurations for the DCR and Rsyslog file? Additionally, it would be greatly appreciated if you could check for any network issues as well.

Thank you
George OCAK 70 Reputation points

2025-05-09T23:38:17.4566667+00:00

The issue has been resolved. The root cause was identified as nftables blocking localhost traffic. Disabling nftables restored expected functionality. Thank you for your assistance.
Vinod Pittala 1,830 Reputation points Microsoft External Staff Moderator

2025-05-09T23:45:49.8533333+00:00

Hello George OCAK,

Thank you for your confirmation. I'm glad to hear that the provided solution has been helpful for you.

Additionally, I have converted my comment to an answer. Since the information has been beneficial to you, it would be greatly appreciated if you could take a moment to Accept the answer & Upvote it for the benefit of other community members.

Thank you once again for your cooperation.

Answer 1

Hello George OCAK,

Insufficient disk space can indeed affect the Azure Monitor Agent (AMA) from forwarding logs. The AMA buffers events to /var/opt/microsoft/azuremonitoragent/events prior to ingestion, and if the disk is nearly full, it may prevent the agent from processing and forwarding logs effectively. and the agent might need to create temporary files during the forwarding process, and lack of space can hinder this.

And you mentioned that the JSON configuration files for the Data Collection Rule (DCR), rsyslog.conf, and the AMA agent config all exist and appear correct. However, it’s essential to double-check the configurations for any potential issues.

Additionally, even though the port 28330 is open and the host is listening on it, other factors could block the forwarding of CEF logs. These might include:

Configuration Issues: Ensure the DCR is correctly set up to forward CEF logs. The rsyslog.conf file is correctly configured to forward logs to port 28330. and the AMA agent configuration is correct and matches the intended setup.
Rsyslog Daemon State: If the rsyslog daemon is not running properly or encounters errors, it may not forward logs as expected. Restarting the rsyslog service, as you noted, resolved the error temporarily, which suggests that there might be intermittent issues with the daemon.
Network Issues: Although you mentioned that the firewall is disabled, ensure that there are no network-related issues affecting the communication between the rsyslog and the AMA agent.
Resource Limits: Check for any resource limits (like file descriptors) that may be imposed on the rsyslog or AMA processes.

The error message you mentioned could indicate the connection to port 28330 is being refused. Restarting rsyslog resolves the issue temporarily, suggesting a potential configuration or resource issue. So, Investigate the rsyslog configuration and logs to identify any recurring issues. As said, ensure that rsyslog is correctly configured to forward logs to port 28330 and that there are no resource constraints affecting its operation.

You can refer to the below useful documents.

If the problem still persists post addressing these potential causes, you can enable debugging logs for the AMA agent to gather more insights into what might be going wrong during log forwarding.

If you have any further questions, please do not hesitate to reach out. I am here to assist you.

If you found the above comment helpful, kindly click "Upvote it".

Thank you

Share via

RedHat Linux - AMA agent Rsyslog issue

1 answer

Your answer