ama agent installation vs arc agent install?

David Broggy 5,716 Reputation points MVP
2024-08-27T20:03:16.6766667+00:00

Hi there,

There are 2 procedures for installing the Azure AMA agent for use with Sentinel as a syslog collector:

  1. install the AMA agent using the python script provided by Sentinel: https://video2.skills-academy.com/en-us/azure/sentinel/forward-syslog-monitor-agent
  2. install the Arc agent and then create a DCR to push out the AMA service and syslog configuration.

In which case would you use either?
I would think Arc provides more controls and is good for local syslog collection, while the AMA agent is more commonly used as a syslog forwarder (as well as local logs)?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 32,311 Reputation points Microsoft Employee
    2024-08-29T05:19:49.5666667+00:00

    @David Broggy Both the Azure Monitor Agent (AMA) and the Azure Arc agent can be used to collect syslog data and forward it to Azure Sentinel. The choice between the two depends on your specific requirements and environment.

    The Azure Monitor Agent is a lightweight agent that can be installed on Linux and Windows machines to collect logs and metrics and forward them to Azure Monitor. It includes a syslog forwarder that can be used to collect syslog data from local sources and forward it to Azure Sentinel. The AMA agent is a good choice if you need a simple and lightweight solution for forwarding syslog data to Azure Sentinel.

    The Azure Arc agent is a more comprehensive agent that can be used to manage and monitor resources across on-premises, multi-cloud, and edge environments. It includes a syslog forwarder that can be used to collect syslog data from local sources and forward it to Azure Sentinel. The Arc agent is a good choice if you need a more comprehensive solution for managing and monitoring your resources, and if you want to use a single agent to collect and forward syslog data.

    In general, if you only need to forward syslog data from local sources to Azure Sentinel, the Azure Monitor Agent is a good choice. If you need a more comprehensive solution for managing and monitoring your resources, and if you want to use a single agent to collect and forward syslog data, the Azure Arc agent is a good choice.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.