- Azure AD without on-prem Windows Active Directory? - Mon, Oct 25 2021
- An overview of Azure security - Mon, Mar 29 2021
- An introduction to Azure AD administrative units - Wed, Jan 6 2021
You can add computers to Azure Monitor by installing the Microsoft Monitoring agent. You need to create a Log Analytics workspace before adding computers. The following information covers setting up a workspace, configuring servers for Azure Monitor, and verifying they are connected.
Workspace setup
The first step is setting up the workspace. Log into Azure, go to Azure Monitor, and select Logs. This will start the Log Analytics workspace creation process. If selecting Logs displays a search window instead of the option below, a workspace already exists, and you can go to the next section.
Log Analytics workspace setup
Select the option to Create New and enter a workspace name. This name has to be globally unique and is limited to letters, numbers, and the "-" symbol without spaces. Next, select the subscription for the workspace and then create a new Resource group or add to an existing one.
When you select a location, keep in mind the price may vary based on the location you select. Check Microsoft's pricing page for current pricing. Workspaces set up after April 2018 will only have the Per GB option for pricing. Click OK to create the workspace.
Log Analytics pricing tier
That's all there is to it! However, at this point the workspace is not collecting much data, and its usefulness is limited. To start collecting data, there are two steps: add the virtual machines (VMs) and configure workspace logging.
Adding Azure VMs
Start by adding servers to the workspace. Go into the workspace created in the previous step, and select Virtual Machines. A list of available VMs display their connection status. The connection status will show Not connected, Connected to another workspace, or This workspace. Click on a server you want to add, and you will see the option to connect. You also have the option to disconnect servers from that location. In the background, Azure uses an extension to add the Microsoft Monitoring Agent to the server.
Add Azure VMs
Azure VM connection status
You can also configure clients using the Azure Extension with PowerShell, the command-line interface, or with an Azure Resource Manager (ARM) template. Below is an example using PowerShell. You will need a workspace ID and workspace key for the installation, which you can find in the Advanced settings on the workspace.
$PublicSettings = @{"workspaceId" = "WORKSPACE_ID"}
$ProtectedSettings = @{"workspaceKey" = "WORKSPACE_KEY=="}
$ResourceGroup = "RESOURCE_GROUP"
$VMName = "SERVER_NAME"
$Location = (Get-AzureRmResourceGroup $ResourceGroup).Location
Set-AzureRmVMExtension -ExtensionName "Microsoft.EnterpriseCloud.Monitoring" `
-ResourceGroupName $ResourceGroup `
-VMName $VMName `
-Publisher "Microsoft.EnterpriseCloud.Monitoring" `
-ExtensionType "MicrosoftMonitoringAgent" `
-TypeHandlerVersion 1.0 `
-Settings $PublicSettings `
-ProtectedSettings $ProtectedSettings `
-Location $Location
Adding on-premises computers
There is an option to run the agent installation locally on the server. Start by downloading the Windows or Linux agent from the Advanced settings page of the workspace. This requires the workspace ID and key for installation, also located in Advanced settings. It is possible to configure a server outside of Azure with the agent installation, thus allowing for the deployment to on-premises servers or running it in other cloud services (providing they have access to the internet.)
You can run the agent from the server with the executable. You can also push the client to non-Azure servers using deployment solutions such as the System Center Configuration Manager (SCCM). Accomplish this by downloading and extracting the software with the command below, replacing the executable with the version you downloaded and the <path> with the location you want to extract it to:
MMASetup-AMD64.exe /c /t:<path>
Next, create a batch file with the following line of code and place it in the folder where you extracted the software. Update WORKSPACE_ID and WORKSPACE_KEY with settings for your workspace. This will run a silent install, connecting the agent to your workspace.
setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<your workspace id> OPINSIGHTS_WORKSPACE_KEY=<your workspace key> AcceptEndUserLicenseAgreement=1
Workspace configuration
You need to configure the workspace to collect data after connecting the servers. Set this under Workspace, Advanced Settings, Data. Select the types of data to collect from this location. There are several options for data to collect, including Windows Event Logs, Windows and Linux Performance Counters, IIS Logs, Syslogs, and Custom Logs, and Custom Fields.
To get started, add the Windows application and system event logs. Go to Windows Event Logs and enter Application to collect events from these logs. Click on the "+" sign to add it to the list. Notice the options to set the level of event log collection: Error, Warning, Informational, or a combination of the three. Repeat the steps for the System log.
Add Windows Event Logs
Next, select Windows Performance Counters. The next example shows the preselected performance counters.
Add Windows Performance Counters
Modify the sample interval and add or remove performance counters as needed in your environment. Keep in mind that the price for this service is based on data consumption, and these settings will affect the amount of data collected. I've changed the sample interval from 10 to 30 seconds in this example.
Click on Save after making the changes to update the workspace.
Save Data collection settings
Verifying clients
It will take several minutes for the clients to collect and send the data to Log Analytics. Use the Heartbeat log to list all the servers connected to the Log Analytics workspace. You can do this by going into Logs and running the following command:
View connected clients
The command below shows how to query the % Processor Time metric and chart the results.
Subscribe to 4sysops newsletter!
Graph performance counter
Summary
Azure Monitor uses Log Analytics for log collection and searching. The first step to using Azure Monitor is to set up a Log Analytics workspace. You can add Azure VMs using the Azure Extension and add non-Azure VMs by installing the agent. Just configure the workspace to collect data from the clients. You can find these settings under the workspace advanced settings. Verify the clients are communicating with the workspace by searching the Heartbeat log for distinct computer names.
Now, what processes are running on the monitored host? How can you see the AMA on the VM? Microsoft Monitoring Agent aka Log Analytics agent also has a GUI (open from Control panel) and you can see it replaces the SCOM agent (without impairing SCOM monitoring, the agent is just multihoming). Does AMA have all this too?
Hi,
Is it possible to monitor on premises Firewalls and switches in Azure?