Which monitoring agents to I really need?

Question

The monitoring agent landscape in Azure seems to be a complete mess right now. I'm getting messages in the portal that Log Analytics agent is being deprecated in 2024 and that I should be replacing it with the Azure Monitoring Agent. I have other agents running that I don't understand what their purpose is nor whether or not I need them or if they are collecting duplicated information. Looking on my virtual machines I have a variety of agents deployed and I can't tell which agent name belongs to which service. It's a complete mess.

On my Windows machines I have agents with names like:

AzureMonitoringWindowsAgent (I deployed this agent today as part of the Monitoring service in Azure)

MDE.Windows

MicrosoftMonitoringAgent

MMAExtension

DependencyAgentWindows

On my Linux machines I have agents with name like:

AzureMonitorLinuxAgent (I deployed this agent today as part of the Monitoring service in Azure)

OMSAgentforLinux

MMAExtension

Here are my questions:

What is the actual Microsoft recommended Monitoring Solution for Azure VMs (Windows and Linux)? Is it the Azure Monitoring Agent?

From the above listed agent names, which ones are the Log Analytics agents? I suspect that these log analytics agents are collecting duplicated data that the Azure. I can't tell from the agent names which ones are actually Log Analytics Agents. I want to remove them.

What is the MDE.Windows agent and do I need it? Does it duplicate what is collected with the Azure Monitoring Agent or does it collect completely different information? It appears to be tied to Defender.

What is the MicrosoftMonitoringAgent and how is it different from the AzureMonitoringWindowsAgent? Is it also collecting duplicated data that the AzureMonitoringWindowsAgent is collecting?

What is the DependencyAgentWindows? Is this also collecting duplicated data?

My intent is to try and simplify my monitoring agent landscape.

It would be really helpful for someone at Microsoft with Technical Writing skills to write a single document describing the entire current monitoring landscape state for customers so that they can fully understand what the future direction is and what their current agents actually do and collect so that we can make decisions going forward on what to remove and what to keep.

Answer 1

John Sebastian, thank you for bringing this question here and I can understand the confusion that various agents available in Azure can cause. I am going to give a brief overview of the various agents mentioned above and will proceed with the answers to your questions later in this post. I hope that it would help you -

Before I begin, I would like to clarify the difference between Agent and Extension

Agent - It is a lightweight, always running application (mostly run as a service/daemon) which collects some information from the machine and delivers to somewhere or maintains the state of the machine itself conforming to some configuration.

Extension - In Azure, extensions provide post-deployment configuration and automation tasks on Azure VMs. The extensions can be part of the VM definition itself, hence, can be used to deploy something as part of host resource deployment itself. In the case of Azure Monitor, there are extensions which deploy the monitoring agent as part of VM/VMSS deployment. This eases the overall post-deployment step required to enable monitoring on VMs as well as provides a centralized way to manage these agents installed on them.

Thus, the agents available on VM are not always related to "Azure Monitor". There could be other agents installed on the VM to perform specific tasks.

---

The overview of agents mentioned in the question is available below:

AzureMonitoringWindowsAgent - This is the newer and recommended Azure Monitor Agent (AMA) extension for a VM. It is available for Windows VM with AzureMonitoringWindowsAgent name. Similarly, AzureMonitorLinuxAgent is the extension name for AMA on Linux VM. Based on the question, I see that you deployed them recently.

MMAExtension - Is the name of extension which installs the legacy agent on Windows VM. The agent itself is called as Log Analytics Agent or LA Agent, also called as "Microsoft Monitoring Agent" or MMA. For Linux VM, this extension installs an agent package called OMSAgentforLinux.

DependencyAgentWindows - Collects discovered data about processes running on the virtual machine and external process dependencies, which are used by the Map feature in VM insights. The Dependency agent relies on the Azure Monitor agent or Log Analytics agent to deliver its data to Azure Monitor. The data collected by this agent forms is used for VM insights

The extensions and agents discussed above are all related to "Azure Monitor". Please see this link for other (legacy) agents available in Azure Monitor.

---

There are other Extensions/Agents available which perform other specialized tasks

MDE.Windows - This is an agent for "Microsoft Defender for Endpoint". This forms the part of security ecosystem (and not monitoring).

In light of information provided above, please find below answer to your question:

• What is the actual Microsoft recommended Monitoring Solution for Azure VMs (Windows and Linux)? Is it the Azure Monitoring Agent? Yes, Azure Monitor agent is the latest agent which is recommended to be used for VMs.
• From the above listed agent names, which ones are the Log Analytics agents? I suspect that these log analytics agents are collecting duplicated data that the Azure. I can't tell from the agent names which ones are actually Log Analytics Agents. I want to remove them. For Windows VMs, Log Analytics Agents are known with many names - Log Analytics Agent, Microsoft Monitoring Agent (MMA) - mainly because of the legacy from on-prem SCOM world. For Linux VM, it is named OMSAgentForLinux or available as MMA Extension.
• What is the MDE.Windows agent and do I need it? Does it duplicate what is collected with the Azure Monitoring Agent or does it collect completely different information? It appears to be tied to Defender. You are right, it is related to Microsoft Defender and is for threat detection and prevention. It does not capture similar data as the Azure Monitor related agents (for LA and AMA)
• What is the MicrosoftMonitoringAgent and how is it different from the AzureMonitoringWindowsAgent? Is it also collecting duplicated data that the AzureMonitoringWindowsAgent is collecting? MicrosoftMonitoringAgent is the legacy Log Analytics Agent, whereas the AzureMonitoringWindowsAgent is the new Azure Monitor Agent. For more details, see Virtual machine extension details for AMA. Yes, they collect similar data from the VM and send it to Log Analytics Workspace. You may remove MicrosoftMonitoringAgent from the VM in favor of AzureMonitoringWindowsAgent.
• What is the DependencyAgentWindows? Is this also collecting duplicated data? It Collects discovered data about processes running on the virtual machine and external process dependencies, which are used by the Map feature in VM insights. The Dependency agent relies on the Azure Monitor agent or Log Analytics agent to deliver its data to Azure Monitor. The data collected by these agent forms is used for VM insights. It does not collect similar data as AMA or MMA.

I hope the explanation above would help clarify the understanding about these various components. Please let us know if you have any questions.

Answer 2

Hi John,

I'd like to add some practical examples of where I use some of the above agents:

• Legacy Azure Monitor Agent (also might be called the OMS agent (Operations Management Suite). - If you have on-prem windows and linux servers this is the agent most people use, but as you say is being deprecated.
• The replacement for the old agent for on-prem servers is the Azure Arc agent.
• You may find that the AMA agent is not deployable on its own with on-prem servers. The Azure Arc agent is deployed and then you configure a Data Collection policy in Azure which will automatically deploy the AMA service via Arc.
• Azure Arc agents are free, however there are additional services (or 'extensions' as mentioned above) you can enable for which there may be a fee.

Within Azure you don't need the Azure Arc agent. you just create a data collection rule and you're done.

If you need to forward syslog data to a log analytics workspace I still use the legacy agent.

References

Good example of deploying Azure Arc, Defender for Endpoint, and Defender for Cloud

[https://jeffreyappel.nl/onboard-microsoft-defender-for-endpoint-using-azure-arc-for-non-azure-devices/#:~:text=For%20enabling%20Defender%20for%20Cloud,for%20Cloud%20plan%20is%20enabled.

What is Azure Arc

[https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview

Azure Arc for Linux

• [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/onboard-server-linux

Azure Arc Pricing

[https://azure.microsoft.com/en-ca/pricing/details/azure-arc/

Syslog forwarding example

[https://www.youtube.com/watch?v=Clz9ryElrmw&ab_channel=InfoVerseTech

Answer 3

Thank you, this is very helpful.

Answer 4

THANK YOU for both the questions and the responses. I have also been struggling with this for over a month now, trying to determine the best path forward with a deprecation of the old and what is/are the necessary agent(s) for the new AMA. The existing migration paths and documented steps put forth by MS are a mess for sure and while slightly helpful, they are also too confusing ATM. Kudos for this real-world example!!