- Manage Azure PowerShell global settings - Fri, Sep 22 2023
- Create and manage append blobs with PowerShell - Wed, Oct 12 2022
- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
Log Analytics lets us monitor many infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings in Azure. It also allows us to respond to events using Azure Monitor alerts. With OMS dashboards, we can control events, visualize log searches, and share custom logs with others.
To start monitoring Azure VMs, you need to install Microsoft Monitoring Agent (MMA) provided by OMS on VMs through a VM extension. Although you can perform a manual installation at the operating system level using agent setup files available in Azure Portal, it is much easier to install the extensions on VMs through Azure Portal or using PowerShell. Once the extension installs the OMS agent on a VM, it registers the VM to an existing OMS workspace, and the VM is ready to report to OMS.
Later in this article, we will walk through the steps of installing extensions on multiple VMs and will start monitoring them using PowerShell.
The OMS service is available in the following Azure regions:
East US | West Europe | Japan East |
West Central US | Southeast Asia | Australia Southeast |
Central India | Canada Central | UK South |
Create a new OMS workspace
To start monitoring a Windows VM through OMS, we first need to create an OMS workspace. We can use the commands below to do this:
# Create a new Log Analytics instance (OMS workspace) $OMSresourcegroupname = "OMSTest" $OMSWorkspaceName = "Omstest-000112" $OMSLocation = "West Europe" $OMSSku = "Free" $OMSWorkspace = New-AzureRmOperationalInsightsWorkspace ` -ResourceGroupName $OMSresourcegroupname ` -Name $OMSWorkspaceName ` -Location $OMSLocation ` -Sku $OMSSku
Each Azure workspace has a workspace ID and a pair of workspace keys we will need later when we install extensions on VMs and enroll them to this workspace. We can get these details in advance using the code below:
$OMSWorkspaceId = $OMSWorkspace.CustomerId $OMSWorkspaceKey = Get-AzureRmOperationalInsightsWorkspaceSharedKeys ` -ResourceGroupName $omsworkspace.ResourceGroupName ` -Name $OMSWorkspace.Name
Installing intelligence packs (solutions)
Solutions in OMS have different capabilities. Each solution aims to monitor specific services in Azure. OMS has several solutions not installed by default. Therefore, you need to install the solutions based on an organization's requirements separately.
To list all available intelligence packs in OMS, use the following cmdlet:
Get-AzureRmOperationalInsightsIntelligencePacks ` -ResourceGroupName $OMSresourcegroupname ` -WorkspaceName $OMSWorkspaceName
To install a specific intelligence pack on an existing OMS workspace, use the cmdlet below. In this example, we are enabling the Update Management Solution.
Set-AzureRmOperationalInsightsIntelligencePack ` -ResourceGroupName $OMSresourcegroupname ` -WorkspaceName $OMSWorkspaceName ` -IntelligencePackName Updates ` -Enabled $true
Installing VM extensions
Now it is time to install OMS monitoring extensions on VMs using the workspace ID and the workspace key we noted earlier.
With the script below, we can install the OMS extension on all VMs in a resource group. You can modify the script to satisfy your needs.
$OMSpublicsettings=@{ "workspaceId" = $OMSWorkspaceId } $OMSprotectedsettings=@{ "workspaceKey" = $OMSWorkspaceKey.primarysharedkey } $vms=Get-AzureRmVM -ResourceGroupName $OMSresourcegroupname foreach($vm in $vms){ $VMname=$vm.name Set-AzureRmVMExtension -ResourceGroupName $OMSresourcegroupname ` -ExtensionName "MicrosoftMonitoringAgent" ` -VMName $VMname ` -Publisher "Microsoft.EnterpriseCloud.Monitoring" ` -ExtensionType "MicrosoftMonitoringAgent" ` -TypeHandlerVersion 1.0 ` -Settings $OMSpublicsettings ` -ProtectedSettings $OMSprotectedsettings ` -Location $OMSLocation ` -ForceRerun true }
Collecting logs from VMs
Once we've installed the extensions to the VMs, they are ready to send requested reports to OMS. To set a VM to send certain logs to OMS, we need to create a new event data source specifying Event Log details such as System, Application, Security, and so on.
System Event Logs
To collect System Event Logs from a VM, we can use the following command:
New-AzureRmOperationalInsightsWindowsEventDataSource ` -ResourceGroupName $OMSresourcegroupname ` -WorkspaceName $OMSWorkspaceName ` -EventLogName "System" ` -CollectErrors ` -CollectWarnings ` -CollectInformation ` -Name "System Event Logs"
Performance counters
To collect performance counters such as memory or disk details from a VM, we can use the following command:
New-AzureRmOperationalInsightsWindowsPerformanceCounterDataSource ` -ResourceGroupName $OMSresourcegroupname ` -WorkspaceName $OMSWorkspaceName ` -ObjectName "Memory" ` -InstanceName "*" ` -CounterName "Available MBytes" ` -IntervalSeconds 20 ` -Name "Windows Performance Counter"
Queries
After enabling data sources on VMs, they can then start sending all requested details to OMS on a regular basis. This means we can now easily create custom queries to get specific data that OMS processes and filters.
In the first example, we will get the first 10 results for system events from all VMs. In the second example, we will get the first 10 results for memory performance counters from all VMs.
Subscribe to 4sysops newsletter!
Example 1
$OMSSearchQuery = 'Event | take 10' $OMSSearchQueryResults = Invoke-AzureRmOperationalInsightsQuery -Workspaceid $OMSWorkspaceId -Query $OMSSearchQuery -Timespan (New-TimeSpan -Hours 24) $OMSSearchQueryResults.results | select computer, eventid, eventlog, sourcesystem, Timegenerated, username, rendereddescription | ft
Example 2
$OMSSearchQuery = 'Perf | take 10' $OMSSearchQueryResults = Invoke-AzureRmOperationalInsightsQuery -Workspaceid $OMSWorkspaceId -Query $OMSSearchQuery -Timespan (New-TimeSpan -Hours 24) $OMSSearchQueryResults.results | select computer, eventid, eventlog, sourcesystem, Timegenerated, username, rendereddescription | ft
Conclusion
OMS is a very useful end-to-end monitoring solution in Azure with a rich solution portfolio. You can monitor Azure services while having the ability to trigger dynamic actions based on alerts, create dashboards for an advanced visual view, and manage all of these using PowerShell.
I am trying to find a way to modify /disable/enable any log analytics alert using powershell .Is there a way to do it ?
Hi Gaurav,
You can indirectly use powershell along with Alert API to manage Alerts in Azure.
Have you checked the following?
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/api-alerts
You can use armclient (https://github.com/projectkudu/ARMClient) or Powershell with the API to manage the alerts.
thanks
Onur
Hi Gaurav,