Monitoring virtual machines with Log Analytics (OMS) using PowerShell

Home Blog Monitoring virtual machines with Log Analytics (OMS) using PowerShell

4sysops - The online community for SysAdmins and DevOps

    , ,   3
As Azure services are growing day by day, it is becoming more important to monitor them in a fully automated way. When it comes to monitoring Azure virtual machines (VMs), it is useful to use Log Analytics, also known as OMS (Operations Management Suite). Its wide range of solutions can monitor various services in Azure.
Contents
  1. Create a new OMS workspace
  2. Installing intelligence packs (solutions)
  3. Installing VM extensions
  4. Collecting logs from VMs
  5. Queries
  6. Conclusion
Latest posts by Baki Onur Okutucu (see all)

Log Analytics lets us monitor many infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings in Azure. It also allows us to respond to events using Azure Monitor alerts. With OMS dashboards, we can control events, visualize log searches, and share custom logs with others.

To start monitoring Azure VMs, you need to install Microsoft Monitoring Agent (MMA) provided by OMS on VMs through a VM extension. Although you can perform a manual installation at the operating system level using agent setup files available in Azure Portal, it is much easier to install the extensions on VMs through Azure Portal or using PowerShell. Once the extension installs the OMS agent on a VM, it registers the VM to an existing OMS workspace, and the VM is ready to report to OMS.

Later in this article, we will walk through the steps of installing extensions on multiple VMs and will start monitoring them using PowerShell.

The OMS service is available in the following Azure regions:

East USWest EuropeJapan East
West Central USSoutheast AsiaAustralia Southeast
Central IndiaCanada CentralUK South

Create a new OMS workspace

To start monitoring a Windows VM through OMS, we first need to create an OMS workspace. We can use the commands below to do this:

# Create a new Log Analytics instance (OMS workspace)

$OMSresourcegroupname = "OMSTest"
$OMSWorkspaceName = "Omstest-000112"
$OMSLocation = "West Europe"
$OMSSku = "Free"

$OMSWorkspace = New-AzureRmOperationalInsightsWorkspace `
                         -ResourceGroupName $OMSresourcegroupname `
                         -Name $OMSWorkspaceName `
                         -Location $OMSLocation `
                         -Sku $OMSSku
Creating a new Log Analytics (OMS) workspace

Creating a new Log Analytics (OMS) workspace

Each Azure workspace has a workspace ID and a pair of workspace keys we will need later when we install extensions on VMs and enroll them to this workspace. We can get these details in advance using the code below:

$OMSWorkspaceId = $OMSWorkspace.CustomerId

$OMSWorkspaceKey = Get-AzureRmOperationalInsightsWorkspaceSharedKeys `
                         -ResourceGroupName $omsworkspace.ResourceGroupName `
                         -Name $OMSWorkspace.Name
Getting the workspace ID and workspace keys

Getting the workspace ID and workspace keys

Installing intelligence packs (solutions)

Solutions in OMS have different capabilities. Each solution aims to monitor specific services in Azure. OMS has several solutions not installed by default. Therefore, you need to install the solutions based on an organization's requirements separately.

To list all available intelligence packs in OMS, use the following cmdlet:

Get-AzureRmOperationalInsightsIntelligencePacks `
                         -ResourceGroupName $OMSresourcegroupname `
                         -WorkspaceName $OMSWorkspaceName
Listing all available intelligence packs (solutions) in OMS

Listing all available intelligence packs (solutions) in OMS

To install a specific intelligence pack on an existing OMS workspace, use the cmdlet below. In this example, we are enabling the Update Management Solution.

Set-AzureRmOperationalInsightsIntelligencePack `
                         -ResourceGroupName $OMSresourcegroupname `
                         -WorkspaceName $OMSWorkspaceName `
                         -IntelligencePackName Updates `
                         -Enabled $true
Enabling an intelligence pack in OMS

Enabling an intelligence pack in OMS

Installing VM extensions

Now it is time to install OMS monitoring extensions on VMs using the workspace ID and the workspace key we noted earlier.

With the script below, we can install the OMS extension on all VMs in a resource group. You can modify the script to satisfy your needs.

$OMSpublicsettings=@{
"workspaceId" = $OMSWorkspaceId
}

$OMSprotectedsettings=@{
"workspaceKey" = $OMSWorkspaceKey.primarysharedkey
}

$vms=Get-AzureRmVM -ResourceGroupName $OMSresourcegroupname

foreach($vm in $vms){
$VMname=$vm.name

Set-AzureRmVMExtension -ResourceGroupName $OMSresourcegroupname `
  -ExtensionName "MicrosoftMonitoringAgent" `
  -VMName $VMname `
  -Publisher "Microsoft.EnterpriseCloud.Monitoring" `
  -ExtensionType "MicrosoftMonitoringAgent" `
  -TypeHandlerVersion 1.0 `
  -Settings $OMSpublicsettings `
  -ProtectedSettings $OMSprotectedsettings `
  -Location $OMSLocation `
  -ForceRerun true

}
Installing OMS extensions on VMs

Installing OMS extensions on VMs

Collecting logs from VMs

Once we've installed the extensions to the VMs, they are ready to send requested reports to OMS. To set a VM to send certain logs to OMS, we need to create a new event data source specifying Event Log details such as System, Application, Security, and so on.

System Event Logs

To collect System Event Logs from a VM, we can use the following command:

New-AzureRmOperationalInsightsWindowsEventDataSource `
                         -ResourceGroupName $OMSresourcegroupname `
                         -WorkspaceName $OMSWorkspaceName `
                         -EventLogName "System" `
                         -CollectErrors `
                         -CollectWarnings `
                         -CollectInformation `
                         -Name "System Event Logs"
Creating a new data source to collect system logs from a VM

Creating a new data source to collect system logs from a VM

Performance counters

To collect performance counters such as memory or disk details from a VM, we can use the following command:

New-AzureRmOperationalInsightsWindowsPerformanceCounterDataSource `
                         -ResourceGroupName $OMSresourcegroupname `
                         -WorkspaceName $OMSWorkspaceName `
                         -ObjectName "Memory" `
                         -InstanceName "*" `
                         -CounterName "Available MBytes" `
                         -IntervalSeconds 20 `
                         -Name "Windows Performance Counter"
Creating a new data source to collect performance counter logs from a VM

Creating a new data source to collect performance counter logs from a VM

 

Queries

After enabling data sources on VMs, they can then start sending all requested details to OMS on a regular basis. This means we can now easily create custom queries to get specific data that OMS processes and filters.

In the first example, we will get the first 10 results for system events from all VMs. In the second example, we will get the first 10 results for memory performance counters from all VMs.

Subscribe to 4sysops newsletter!

Example 1

$OMSSearchQuery = 'Event | take 10'
$OMSSearchQueryResults = Invoke-AzureRmOperationalInsightsQuery -Workspaceid $OMSWorkspaceId -Query $OMSSearchQuery -Timespan (New-TimeSpan -Hours 24)
$OMSSearchQueryResults.results | select computer, eventid, eventlog, sourcesystem, Timegenerated, username, rendereddescription | ft
Collecting VM system events from OMS

Collecting VM system events from OMS

Example 2

$OMSSearchQuery = 'Perf | take 10'
$OMSSearchQueryResults = Invoke-AzureRmOperationalInsightsQuery -Workspaceid $OMSWorkspaceId -Query $OMSSearchQuery -Timespan (New-TimeSpan -Hours 24)
$OMSSearchQueryResults.results | select computer, eventid, eventlog, sourcesystem, Timegenerated, username, rendereddescription | ft
Collecting VM performance counters from OMS

Collecting VM performance counters from OMS

Conclusion

OMS is a very useful end-to-end monitoring solution in Azure with a rich solution portfolio. You can monitor Azure services while having the ability to trigger dynamic actions based on alerts, create dashboards for an advanced visual view, and manage all of these using PowerShell.

avatar
Related Articles
3 Comments
  1. Gaurav Awasthi 4 years ago

    I am trying to find a way to modify /disable/enable any log analytics alert using powershell .Is there a way to do it ?

    Reply
  2. Author
    Baki Onur Okutucu (Rank 2) 4 years ago

    Hi Gaurav,

    You can indirectly use powershell along with Alert API to manage Alerts in Azure.

    Have you checked the following?

    https://docs.microsoft.com/en-us/azure/azure-monitor/platform/api-alerts

    You can use armclient (https://github.com/projectkudu/ARMClient) or Powershell with the API to manage the alerts.

    thanks

    Onur

     

    Reply
  3. dev reddy 3 years ago

    Hi Gaurav,

    Param
(
    [Parameter(Mandatory= $true)] [string] $SubscriptionID,
    [Parameter(Mandatory= $true)] [string] $resourceGroupName,
    [Parameter(Mandatory= $true)][string] $alertnamecontains,
    [Parameter(Mandatory= $true)][string] $mode     
)

$runAsConnectionName = "AzureRunAsConnection"
$servicePrincipalConnection=Get-AutomationConnection -Name $runAsConnectionName
#Logging in to Azure...
Connect-AzAccount `
    -ServicePrincipal `
    -TenantId $servicePrincipalConnection.TenantId `
    -ApplicationId $servicePrincipalConnection.ApplicationId `
    -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
#Setting context to a specific subscription
Set-AzContext -Subscription $subscriptionId

function ScheduledQueryAlertRules
{  
 if ($mode -eq 'start'){    
            write-host "Enabling all alerts configured for the resource $alertnamecontains ..."            
            $alertbody = $true 
        }
        elseif ($mode -eq 'stop'){    
            write-host "Disabling all alerts configured for the resource $alertnamecontains ..."
           $alertbody = $false
        }
        
        $alerts = Get-AzScheduledQueryRule -ResourceGroupName $resourceGroupName
        $filteralerts =  $alerts | Where-Object {$_.name -Match $alertnamecontains}        
        $Alertname = $filteralerts.name        
        foreach($finallist in $Alertname)
        {
        $finaloutput = Update-AzScheduledQueryRule -ResourceGroupName $resourceGroupName  -Name $finallist -Enabled $alertbody
        write-output ($finaloutput).name 
        }
}
function metricAlertRules
    {             
            $alerts = Get-AzMetricAlertRuleV2 -ResourceGroupName $resourceGroupName
            $filteralerts =  $alerts | Where-Object {$_.name -Match $alertnamecontains}        
            $Alertname = $filteralerts.name 
         
    foreach($finallist in $Alertname)
        {
         if ($mode -eq 'start')
            {    
            write-host "Enabling all alerts configured for the resource $alertnamecontains ..."            
            $finaloutput = Get-AzMetricAlertRuleV2 -ResourceGroupName $resourceGroupName  -Name $finallist | Add-AzMetricAlertRuleV2
                write-output ($finaloutput).name 
            }
        elseif ($mode -eq 'stop')
            {    
            write-host "Disabling all alerts configured for the resource $alertnamecontains ..."
           $finaloutput = Get-AzMetricAlertRuleV2 -ResourceGroupName $resourceGroupName  -Name $finallist | Add-AzMetricAlertRuleV2 -disablerule
                write-output ($finaloutput).name
            }             
        }
    }
metricAlertRules
ScheduledQueryAlertRules
    avatar
    Reply

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account