OMS Log Analytics Forwarder


Summary: Collect and view data in OMS from your devices with no Internet connectivity.

Hi everyone, Nini here, and today I am going to talk about the new OMS Log Analytics Forwarder and how you can use it to allow your OMS-managed devices (Windows and Linux) to send data to a central server that has access to the Internet.

A problem some enterprises face today is the inability to collect data from servers and clients (including point of sale devices) when they have no Internet connectivity. This is where we come in! With the OMS Forwarder, which is now in public preview, you can transfer data from agents installed on these devices to OMS. This way, all agent data is sent through a single server that has the OMS Forwarder installed on it and access to the Internet. In this scenario, the Forwarder efficiently transfers data from the agents to OMS directly without analyzing any of the transferred data.

What is the OMS Log Analytics Forwarder?

Now that we understand the problem being solved, you’re probably wondering what it is and how it works. Simply put, the OMS Log Analytics Forwarder is an HTTP forward proxy that supports HTTP tunneling through the HTTP CONNECT command. It is able to handle up to 1,000 OMS concurrently-connected devices when run on a 4 core, 8G Windows Server with a 1Gbps network connection. Here’s a simple diagram to show how it is all connected (click the image to see a larger version):

Diagram of OMS Log Analytics Forwarder connections

 

In order for the OMS Log Analytics Forwarder to know the service end points that it needs to communicate with, we recommend that you install the OMS agent on the computer where the Forwarder is also installed. Additionally, when an OMS agent and the OMS Log Analytics Forwarder are on the same computer, you can monitor the health and performance of the Forwarder. Note that the Forwarder must have access to the Internet in order to upload data to OMS. This forwarder will also support OMS automation hybrid workers after proxy support is added. Please note that for this Public Preview release, we do not support SCOM Management Server using the OMS Forwarder.

Do not install the forwarder on a computer that is also a domain controller.

Got it! How can I install the OMS Log Analytics Forwarder?

You can do this in three easy steps!

Step 1: Install the OMS agent on the same server where you plan to use to install the Forwarder.

In order for the OMS Forwarder to know the endpoints that it needs to talk to, you need to install the OMS agent on the server on which you plan to install the Forwarder.

Follow the instructions in Connect Windows computers directly to OMS to install the agent. This link will show you how you can install the agent via the UI and via command line.

Note: Please wait for 2-3 minutes after you install the agent to install the OMS Forwarder.

Step 2: Install the OMS Log Analytics Forwarder

Prerequisites: .Net Framework 4.5, Windows Server 2012 R2 SP1 and above

  1. Download the MSI.
  2. On the Welcome page, click Next.

Welcome page dialog box for the OMS Log Analytics Forward Setup Wizard

  1. On the License Agreement page, select I accept the terms in the License Agreement to agree to the EULA and then click Next.

End-User License Agreement dialog box for OMS Log Analytics Forwarder

  1. On the Port and Proxy Address page, do the following:
    1. Type the TCP port number to be used for the forwarder. Setup opens this port number from Windows firewall. The default value is 8080. The valid range of the port number is 1 to 65,535. If the input does not fall within this range, an error message box will open.Dialog box that indicates a port number is out of range
    2. Input the proxy address where the Forwarder needs to connect, if the server on which the Forwarder resides needs to go through a proxy. For example, myorgname.corp.contoso.com:80. This is an optional value. If it’s blank, the Forwarder will try to connect to the Internet directly. Otherwise, the Forwarder will connect through your internal proxy. If your proxy requires authentication, you can provide a username (domain\user) and password.

      Note: If you do not provide a domain for the user, it will not work.

      Dialog box that shows where you add the port number for the gateway

      Dialog box that shows proxy server configuration

    3. Click Next.
  1. On the Destination Folder page, either leave the default folder, %ProgramFiles%\OMS Log Analytics Forwarder, or type the location where you want to install forwarder, and then click Next.

Dialog box that shows the folder where OMS Log Analytics Forwarder is installed

  1. On the Ready to install page, select Install. A User Account Control might appear requesting permission to install. If so, click OK.

Dialog box where you click Install to start installation

  1. After Setup completes, click Finish. You can verify that the service is running by opening the services.msc snap-in and checking for Microsoft OMS Log Analytics Forwarder.

Services snap-in which shows status of the OMS Log Analytics Forwarder

Step 3: Configure OMS Agent to use the OMS Log Analytics Forwarder to send data

See Configure proxy and firewall settings for information about how to configure an OMS Windows agent to use a proxy server, which in this case is the OMS Forwarder. If you are using the OMS Linux agent, use the steps in Configuring the agent for use with an HTTP proxy server.

Troubleshooting the OMS Log Analytics Forwarder

We highly recommend that you install the OMS agent on computers where you install the Forwarder. You can then use the agent to collect the events that are logged by the Forwarder.

Screenshot of the OMS Log Analytics Forwarder Log in the Event Viewer

OMS Log Analytics Forwarder Event IDs and Descriptions

Name Description
400 Any application error that does not have a specific id
401 Wrong configuration. For example: listenPort = “haha” instead of an integer
402 Exception in parsing TLS handshake messages
403 Networking error. For example: cannot connect to target server
100 General information
101 Service has started
102 Service has stopped
103 Received a HTTP CONNECT command from client
104 Not a HTTP CONNECT command
105 Destination server is not in allowed list or the destination port is not secure port (443)
106 In any reason that the TLS session is suspicious and rejected
107 The TLS session has been verified

Performance Counters to Collect

Name Description
OMS Log Analytics Forwarder\Active Client Connection Number of active client network (TCP) connections
OMS Log Analytics Forwarder\Connected Client Number of connected client
OMS Log Analytics Forwarder\Rejection Count Number of rejections due to any TLS validation error

 

Add Counters dialog box

Uninstalling the OMS Log Analytics Forwarder from Add/Remove Program

Image of "Uninstall or change a program" in the "Programs and Features" section of the Windows Control Panel

Supported number of Agent connections

Gateway Approx. Number of Agents Supported
  • CPU: Intel Xeon CPU E5-2660 v3 @ 2.6GHz 2 Cores
  • Memory: 4GB
  • Network Bandwidth: 1Gbps
  • 600
  • CPU: Intel Xeon CPU E5-2660 v3 @ 2.6GHz 4 Cores
  • Memory: 8GB
  • Network Bandwidth: 1Gbps
  • 1000

This support is based on agents uploading ~200KB of data every 6 seconds. The data volume per agent tested is about 2.7GB per day.

Supported Operating System

  • Client SKU: Windows 7, Windows 8.1, Windows 10
  • Server SKU: W2K8 R2, W2012, W2012R2

What's next?

Moving forward, we plan on releasing a solution that allows you to view the health and performance of your Forwarders and Agents in OMS, as well as improving the functionality of the OMS Forwarder based on your feedback!

That is all I have for you today. If you have any feedback or questions, please comment below.

Priscilla Nini Ikhena

Microsoft Operations Management Team

Comments (19)

  1. rakesh upadhyay says:

    Hi can this be too used for collecting Performance counter data i.e. Processor, RAM & disk from the devices. It seems now Perf data required internet connection even thought its connected via SCOM to OMS .If this works, great help.

    Also, will this help for get log from the firewall devices too??

    1. Nini Ikhena says:

      Hi Rakesh, yes the Forwarder is able to collect performance counter data. It writes perf counters data into the system, and then the agent installed on the same server sends this data to OMS.
      You should be able to, as long as the devices have the OMS agent installed and configured to use the Forwarder.

  2. Thomas Førde says:

    Can This also be used to forward Logs to Advanced Threat Analytics, so that you dont need a System Center solution aswell to forward the same logs, or do you require a SCOM for this.

    1. Nini Ikhena says:

      Hi Thomas, the Forwarder at the moment is not able to forward logs to Advanced Threat Analytics. However, we're working on an OMS solution that will give you insight into your logs, health and performance of the Forwarder and your agents.

      1. Thomas Førde says:

        So i would still require a SCOM as SIEM to be able to send logs to ATA, or are you saying that ATA will(soon) be able to connect to OMS and get logs from there? 🙂

  3. Ian Smith says:

    Thank You Guys!!!!!!!!!!!!

    1. Nini Ikhena says:

      Please let us know if you have any feedback! 🙂

  4. Marco says:

    Hi, can this forwarder be used as a proxy for SCOM or MMA´s not direct connected ?
    thanks,

    1. Nini Ikhena says:

      Hello, the proxy does not support SCOM at the moment, it only support direct agents. However, we are working towards adding this functionality.

      1. Manish says:

        Hi Nini, good post !!.. One quick question around Alert forwarder, we're seeing issues with event 103 followed by 105. Alert forwarder is an azure VM and has access to internet. I couldn't find anything that could guide me around this though I found workaround for Linux for the same event. Can you please guide ?

  5. Jason Aranha says:

    Any Plan when will the OMS Forwarder Support Communication for Linux Agent and SCOM MS.

    I noticed an problem recently i had enabled the proxy Setting on SCOM with minimal Solution on boarded [Our SCOM MS doesn`t have direct internet connection]. Namely Alert Management Solution was only Onboarded . I had Approx 500 + server communicating to SCOM they all also reported to Proxy i was not sure why would it report to PROXY when we didn`t on board Security or IIS LOG Solution. our proxy was licensed to 250 server which caused an Impact to us . i had to remove all the Server from OMS. is there any plan in the future to send traffic from SCOM , Linux Agent to OMS Fowarder ..

    Note that with some upcoming intelligence packs (i.e. ‘Security and Audit’), given the large volume of data sent for those scenarios (Windows Security Logs), the agents, even if reporting to OpsMgr and receiving configuration from the OpsMgr Management Grup, will report data directly (=without queuing thru the management server) to the cloud. The destination needed for this communication is the following

    URL

    Ports

    *.ods.opinsights.azure.com

    Port 443

    Note that the proxy setting specified in Step 2 below will be automatically propagated to OpsMgr agents. [This is an Problem for US We cannot have globally Setting for all Agent ]

  6. Sharon says:

    Can we enable HTTPS for the OMS Log Analytics Forwarder ? meaning :
    1. The OMS agent communication to the Forwarder .
    2. the Forwarder communication to OMS .
    Thanks

  7. Martin Berra says:

    Hi,

    Is this version suitable for production?
    Is there a newer version?

    Thks

  8. Jess says:

    Has anyone been able to get their agents with no Internet connectivity to communicate with the machine running the forwarder? The setup instructions just state to point the agent to the forwarder server via the proxy setting, but there are no details. On the agent side, I'm seeing: "the agent had an unknown failure 12019" when I have the workspace ID in the agent config tab Azure Log Analytics (OMS) tab. The forwarder event logs report event ID 105 " Destination server is not in allowed list or the destination port is not secure port (443)". What have I missed?

    1. OMSWorld says:

      Hey Jess,
      what did you mention for proxy settings on your direct agent installation ? that field should be your OMS gateway followed by port if you have customised any port number
      make sure you open the new customized port to listen inbound traffic.
      Proxy server settings will only and only go on to your OMS gateway !
      Also if you OMS gateway needs authentication to access then you need to mention User credentials.
      i have used a service account in my case .
      Do not connect your direct agents to listen to proxy server directly
      Microsoft install documents did not mention this part correctly.

    2. Stefan says:

      My problem was that there is an updated version of the "forwarder" which is called "OMS Gateway" - and that worked like a charm.

  9. scott perry says:

    do you need an OMS agent installed on all the servers or can you just utilize the built-in Windows forwarding to forward event logs to the OMS Log Analytics forwarder

Skip to main content