root@VRT-EDL-001-LAT:~ # wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py

--2020-03-26 17:28:13-- https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py Resolving forcepoint.ntprod.pri (forcepoint.ntprod.pri)... 10.50.255.32 Connecting to forcepoint.ntprod.pri (forcepoint.ntprod.pri)|10.50.255.32|:80... connected. Proxy request sent, awaiting response... 200 OK Length: 21429 (21K) [text/plain] Saving to: ‘cef_installer.py’ 100%[=======================================================================================>] 21,429 --.-K/s in 0s 2020-03-26 17:28:13 (50.4 MB/s) - ‘cef_installer.py’ saved [21429/21429] Workspace ID: Primary key: Trying to download the omsagent. wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh --2020-03-26 17:28:13-- https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh Resolving forcepoint.ntprod.pri (forcepoint.ntprod.pri)... 10.50.255.32 Connecting to forcepoint.ntprod.pri (forcepoint.ntprod.pri)|10.50.255.32|:80... connected. Proxy request sent, awaiting response... 200 OK Length: 3006 (2.9K) [text/plain] Saving to: ‘onboard_agent.sh’ 100%[=======================================================================================>] 3,006 --.-K/s in 0s 2020-03-26 17:28:13 (34.7 MB/s) - ‘onboard_agent.sh’ saved [3006/3006] Downloaded omsagent successfully. Installing omsagent sh onboard_agent.sh -w -s -d opinsights.azure.com --2020-03-26 17:28:16-- https://github.com/microsoft/OMS-Agent-for-Linux/releases/download/OMSAgent_v1.12.15-0/omsagent-1.12.15-0.universal.x64.sh Resolving forcepoint.ntprod.pri (forcepoint.ntprod.pri)... 10.50.255.32 Connecting to forcepoint.ntprod.pri (forcepoint.ntprod.pri)|10.50.255.32|:80... connected. Proxy request sent, awaiting response... 302 Found Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/43709699/a2f92f00-06dd-11ea-8cfc-de877d104657?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200326%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200326T222626Z&X-Amz-Expires=300&X-Amz-Signature=00290a81be912f29ab0aea7b241b39bdd85f63abbd1e1bdb5d6481a3a209f5c8&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Domsagent-1.12.15-0.universal.x64.sh&response-content-type=application%2Foctet-stream [following] --2020-03-26 17:28:16-- https://github-production-release-asset-2e65be.s3.amazonaws.com/43709699/a2f92f00-06dd-11ea-8cfc-de877d104657?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200326%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200326T222626Z&X-Amz-Expires=300&X-Amz-Signature=00290a81be912f29ab0aea7b241b39bdd85f63abbd1e1bdb5d6481a3a209f5c8&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Domsagent-1.12.15-0.universal.x64.sh&response-content-type=application%2Foctet-stream Connecting to forcepoint.ntprod.pri (forcepoint.ntprod.pri)|10.50.255.32|:80... connected. Proxy request sent, awaiting response... 200 OK Length: 140668566 (134M) [application/octet-stream] Saving to: ‘omsagent-1.12.15-0.universal.x64.sh’ 100%[=======================================================================================>] 140,668,566 13.2MB/s in 7.4s 2020-03-26 17:28:24 (18.2 MB/s) - ‘omsagent-1.12.15-0.universal.x64.sh’ saved [140668566/140668566] Generating a 2048 bit RSA private key .....................................+++ .....+++ writing new private key to '/etc/opt/omi/ssl/omikey.pem' ----- Created symlink from /etc/systemd/system/multi-user.target.wants/omid.service to /usr/lib/systemd/system/omid.service. ERROR: start_omsagent failed with result '1' on workspace . chmod: cannot access ‘/opt/dsc’: No such file or directory su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied gpg: directory `/etc/opt/omi/conf/omsconfig/.gnupg' created gpg: new configuration file `/etc/opt/omi/conf/omsconfig/.gnupg/gpg.conf' created gpg: WARNING: options in `/etc/opt/omi/conf/omsconfig/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/etc/opt/omi/conf/omsconfig/.gnupg/secring.gpg' created gpg: keyring `/etc/opt/omi/conf/omsconfig/keymgmtring.gpg' created gpg: /etc/opt/omi/conf/omsconfig/.gnupg/trustdb.gpg: trustdb created gpg: key 44BC4178: public key "Microsoft (Release Signing) " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied gpg: keyring `/etc/opt/omi/conf/omsconfig/keyring.gpg' created gpg: key DE321294: public key "Microsoft (Release Signing) " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) su: warning: cannot change directory to /var/opt/microsoft/omsagent/run: Permission denied -bash: /var/opt/microsoft/omsagent/run/.bash_profile: Permission denied Checking if Docker is installed... Docker not found. Docker agent will not be installed. Installed omsagent successfully. Creating omsagent configuration to listen to syslog daemon forwarding port - 25226 Configuration location is - /etc/opt/microsoft/omsagent//conf/omsagent.d/security_events.conf Download configuration into the correct directory sudo wget -O /etc/opt/microsoft/omsagent//conf/omsagent.d/security_events.conf https://raw.githubusercontent.com/microsoft/OMS-Agent-for-Linux/master/installer/conf/omsagent.d/security_events.conf --2020-03-26 17:30:34-- https://raw.githubusercontent.com/microsoft/OMS-Agent-for-Linux/master/installer/conf/omsagent.d/security_events.conf Resolving forcepoint.ntprod.pri (forcepoint.ntprod.pri)... 10.50.255.32 Connecting to forcepoint.ntprod.pri (forcepoint.ntprod.pri)|10.50.255.32|:80... connected. Proxy request sent, awaiting response... 200 OK Length: 417 [text/plain] Saving to: ‘/etc/opt/microsoft/omsagent//conf/omsagent.d/security_events.conf’ 100%[=======================================================================================>] 417 --.-K/s in 0s 2020-03-26 17:30:34 (42.0 MB/s) - ‘/etc/opt/microsoft/omsagent//conf/omsagent.d/security_events.conf’ saved [417/417] Configuration for omsagent downloaded successfully. Trying to changed omsagent configuration Omsagent configuration was changed to fit required protocol - /etc/opt/microsoft/omsagent//conf/omsagent.d/security_events.conf Finished changing omsagent configuration Located rsyslog daemon running on the machine Creating rsyslog daemon configuration. Configuration is changed to forward daemon incoming syslog messages into the omsagent. Every command containing 'CEF' string will be forwarded. Path: /etc/rsyslog.d/security-config-omsagent.conf Rsyslog daemon configuration content: :rawmsg, regex, "CEF\|ASA" ~ *.* @@127.0.0.1:25226 Configuration for rsyslog daemon was changed successfully. Rsyslog.conf configuration was changed to fit required protocol - /etc/rsyslog.conf Restarting rsyslog daemon. sudo service rsyslog restart Redirecting to /bin/systemctl restart rsyslog.service Rsyslog daemon restarted successfully Trying to restart omsagent sudo /opt/microsoft/omsagent/bin/service_control restart Omsagent restarted successfully Installation completed root@VRT-EDL-001-LAT:~ # echo $? 0 root@VRT-EDL-001-LAT:~ # /opt/microsoft/omsagent/bin/service_control restart root@VRT-EDL-001-LAT:~ # echo $? 1 root@VRT-EDL-001-LAT:~ # systemctl -l status omsagent- omsagent-.service - Operations Management Suite agent Loaded: loaded (/usr/lib/systemd/system/omsagent-.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2020-04-02 10:14:23 CDT; 1h 48min ago Process: 7836 ExecStop=/bin/rm -f /var/opt/microsoft/omsagent//run/omsagent.pid (code=exited, status=1/FAILURE) Process: 7831 ExecStart=/opt/microsoft/omsagent/bin/omsagent -d /var/opt/microsoft/omsagent//run/omsagent.pid -o /var/opt/microsoft/omsagent//log/omsagent.log -c /etc/opt/microsoft/omsagent//conf/omsagent.conf --no-supervisor (code=exited, status=1/FAILURE) Main PID: 7831 (code=exited, status=1/FAILURE) Apr 02 10:14:23 VRT-EDL-001-LAT omsagent[7831]: from /opt/microsoft/omsagent/ruby/lib/ruby/gems/2.6.0/gems/fluentd-0.12.40/lib/fluent/command/fluentd.rb:173:in `' Apr 02 10:14:23 VRT-EDL-001-LAT omsagent[7831]: from /opt/microsoft/omsagent/ruby/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require' Apr 02 10:14:23 VRT-EDL-001-LAT omsagent[7831]: from /opt/microsoft/omsagent/ruby/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require' Apr 02 10:14:23 VRT-EDL-001-LAT omsagent[7831]: from /opt/microsoft/omsagent/ruby/lib/ruby/gems/2.6.0/gems/fluentd-0.12.40/bin/fluentd:5:in `' Apr 02 10:14:23 VRT-EDL-001-LAT omsagent[7831]: from /opt/microsoft/omsagent/bin/omsagent:23:in `load' Apr 02 10:14:23 VRT-EDL-001-LAT omsagent[7831]: from /opt/microsoft/omsagent/bin/omsagent:23:in `

' Apr 02 10:14:23 VRT-EDL-001-LAT systemd[1]: omsagent-.service: main process exited, code=exited, status=1/FAILURE Apr 02 10:14:23 VRT-EDL-001-LAT systemd[1]: omsagent-.service: control process exited, code=exited status=1 Apr 02 10:14:23 VRT-EDL-001-LAT systemd[1]: Unit omsagent-.service entered failed state. Apr 02 10:14:23 VRT-EDL-001-LAT systemd[1]: omsagent-.service failed. root@VRT-EDL-001-LAT:~ # root@VRT-EDL-001-LAT:~ # systemctl status omid omid.service - OMI CIM Server Loaded: loaded (/usr/lib/systemd/system/omid.service; enabled; vendor preset: disabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2020-04-02 12:02:41 CDT; 375ms ago Process: 30716 ExecStop=/opt/omi/bin/omiserver -s (code=exited, status=0/SUCCESS) Process: 30710 ExecStart=/opt/omi/bin/omiserver -d (code=exited, status=0/SUCCESS) Process: 30669 ExecStartPre=/opt/omi/bin/support/installssllinks (code=exited, status=0/SUCCESS) Main PID: 30713 (code=exited, status=1/FAILURE) Apr 02 12:02:41 VRT-EDL-001-LAT systemd[1]: Unit omid.service entered failed state. Apr 02 12:02:41 VRT-EDL-001-LAT systemd[1]: omid.service failed. root@VRT-EDL-001-LAT:~ # ls -ld /opt/dsc drwxr-xr-x 5 omsagent root 4096 Mar 26 17:29 /opt/dsc root@VRT-EDL-001-LAT:~ # root@VRT-EDL-001-LAT:~ # ls -ld /var/opt/microsoft/omsagent/run lrwxrwxrwx 1 root root 68 Mar 26 17:29 /var/opt/microsoft/omsagent/run -> /var/opt/microsoft/omsagent//run root@VRT-EDL-001-LAT:~ # ls -ld /var/opt/microsoft/omsagent//run drwxr-x--- 2 omsagent omiusers 4096 Mar 26 17:29 /var/opt/microsoft/omsagent//run