Azure Monitor vs SCOM

Question

Azure Monitor vs SCOM

Bojan Zivkovic 641

Hi, currently I am evaluating Azure Monitor on several Azure Arc enabled on-premises servers. In first phase we are interested only in monitoring performance (collecting performance counters) but later more in depth monitoring definitely will be business request. Having created Data Collection Rule and deployed Azure Monitor Agent to on-premises servers I clearly see that number of performance counters is mere 46 whereas that number is much higher in agent configuration if Log Analytics Agent is deployed to servers. Coming from SCOM background I have several questions to ask here (AMA is recommended agent by MS and as I saw LAA is not even supported to install on Windows Server 2022):

What can I do to collect more performance counters other than these mere 46?
What can I do to collect event logs other than basic ones (can I specify any event log of interest using XPath query (it would be much better to see a list to select event log from)
Is Azure Monitor capable of doing product/role monitoring like SCOM does with all its Management Packs (AD, Group Policy, DNS, DHCP, IIS, SQL, ...)?

If answer is negative for any of these questions then I must say Azure Monitor is joke compared to SCOM or simply it is not designed for on-premises products/roles - in forests we want Azure Monitor as solution we do not have SCOM for various of reasons. Maybe I am expecting things Azure Monitor simply can not do so better to let managers know that as soon as possible than me to be blamed later.

0 comments

1 answer

Your answer

Answer 1

Andrew Blumhardt 10,071 Microsoft Employee

I am not certain about the performance counter options for the AMA. This is a consumption-prices service. I think most customers are likely only interested in a handful of common counters. It is likely not cost effective to collect a wide range of obscure counters. Maybe someone else can speak to that point.

I believe you are correct on the DCR rules. If you open the XML tab on EventViewer filters you can pull the XPATH directly.

Azure Monitor does not have anything comparable to management packs. The Insights are product or service specific but are dashboard-based. There are no rule packs. You create all of the rules on your own. There are built-in templates for Azure Activity (audit) alerts rules. The platform monitoring "Metrics" are also collected automatically and related alert rules are free. It does have some auto resolution and dynamic threshold options. Azure monitor has better alert response automation options.

Azure Monitor also lacks many of the other tooling features of SCOM like a good ticket management interface, service monitoring, alert suppression, health state, etc. Though workarounds to many of these potential limitations are possible. Azure Monitor simply requires a different approach.

SCOM relies heavily on scripts run on the agent and discovery (to limit where scripts run and to create the classes and relationships that support the health state framework). Azure Monitor does not run local scripts. Scoping is less important since there is no harm in broad targeting. DCR rules can be used to refine scoping if needed. Azure monitor does not rely on a framework or class relationships. It makes for a simpler approach. The workspace is also significantly more accessible than SCOM SQL. Many of the concepts that are central to SCOM just do not apply. You might look for some blogs or other resources to help speed to the rule creation work. It is really comparing apples and oranges.

I expect there could be cloud-native SCOM alternative option available in the future. SCOM remains the best Microsoft solution for monitoring on-premises servers. Azure Monitor can be a decent solution when SCOM is not an option. It just takes a bit of effort.

Bojan Zivkovic 641 Reputation points

2022-06-25T18:02:29.867+00:00

We have SCOM in one forest but not in other 2 and for security reasons they all are completely isolated to one another so SCOM Gateway is not an option. From what you said, to do something with Azure Monitor, which is very straightforward with SCOM, is either impossible or much harder. I could have expected this since Azure Monitor Agent is very lightweight extension deployed from Azure Arc compared to SCOM agent which does so much more in the background. Unfortunately other option under consideration is Prometheus which is nothing better than Azure Monitor regarding going deeper into AD, DNS, Group Policy, ... I mean if I have to spend hours just to somehow monitor AD replication (if that is doable - if yes I could not find any documentation how to do that) and fire alert if something went wrong then that is unjustified in my opinion knowing that is out of the box with SCOM AD management pack. Problem is I have to come up with a proposal very soon but since we have no monitoring solution in these 2 forests having anything is better than nothing although I can count only on getting alerts (I have to write KQL for) for some very basic counters such as low free disk space, high CPU usage ... SCOM is noisy but still it is better to know something has happened than missing that info altogether.
Andrew Blumhardt 10,071 Reputation points Microsoft Employee

2022-06-26T03:17:15.08+00:00

I believe AD replication monitoring is script based in SCOM. I agree this would be hard to replace with Azure Monitor. You can certainly do server availability, event-based, and performance-based monitoring. Service monitoring can be done using events or change tracking data from Azure Automation. That is sufficient for basic server monitoring and not too difficult or expensive to setup. Not nearly as deep as an MP though.

Connecting to a cloud service with outbound SSL ports seems like a comparable compromise to using a gateway. Opening a point-2-point rule for 5723 between the gateway and at least one management server is pretty secure. I believe you can use certificate-based authentication for cross-forest agents. Using SCOM gateways would be the simplest solution and is common scenario for DMZ monitoring.
Bojan Zivkovic 641 Reputation points

2022-06-26T14:32:45.153+00:00

Unfortunately InfoSec team would never allow cross-forest communication since they are under PCI compliance - Linux team is using Prometheus though but I find it not ideal solution for Windows Servers and Microsoft products in general. There is a chance they won't allow communication with cloud either and then I would be forced to use Prometheus - they like it just because it is free. Putting completely new SCOM management groups in remaining forests without them is also out of question - managing three SCOM MGs would be too much to handle.

Share via

Azure Monitor vs SCOM

1 answer

Your answer