Share via

Azure Monitor Agent & Log Analytics Agent. I am confused

Khankishiyev Farhad 1 Reputation point
2023-05-24T10:24:24.36+00:00

Dear Community.

I have the following Questions. Please help to explain.

 

Questions:

 

  1. The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate to the new Azure Monitor agent prior to that date. 
  • Does Microsoft recommend migrating to Azure Monitor Agent as soon as possible?
  • You might also see the Log Analytics agent referred to as Microsoft Monitoring Agent (MMA).
  • Does It mean,  Log Analytics agent =  Microsoft Monitoring Agent (MMA)?

 

  1. Windows client installer of the Azure Monitor Agent supports latest Windows machines only that are Azure AD joined or hybrid Azure AD joined. So It can not access Log Analytics Agent directly as Log Analytics agent if we have non-Azure Windows Vms or Physical Windows Clients. Because: The Data Collection rules can only target the Azure AD tenant scope, i.e. all DCRs associated to the tenant (via Monitored Object) will apply to all Windows client machines within that tenant with the agent installed using this client installer. Granular targeting using DCRs is not supported for Windows client devices yet.

 

  • Does It mean that Azure Monitor Object is still not a good idea for a non-Azure Windows Client environment? (ACR excluded) 
  • Does It mean that the logs exported from Windows Client to Log Analytics Workspaces using DCRs - don't use direct Internet access?
  • Is Azure Monitor Agent will work if it runs on my Azure AD Hybrid Joined Windows PCs which don't have a direct Internet connection?

 

 

  1. The Log Analytics gateway supports:
    • Windows computers on which either the Azure Monitor Agent or the legacy Microsoft Monitoring Agent is directly connected to a Log Analytics workspace in Azure Monitor.
    • Both the source and the gateway server must be running the same agent. --- "You can't stream events from a server running Azure Monitor agent through a server running the gateway with the Log Analytics agent." --- I don't understand It.

 

  • Does It mean that Log Analytics Gateway can run only on ACR-enabled servers If there is no installed Log Analytics Agent?
  • Or Log Analytics Gateway can stream the Logs only from Log Analytics Agents Installed Windows Pcs?
  • If yes why then there is a Guide that explains "Configure the Azure Monitor agent to communicate using Log Analytics gateway"?

 

 

4.1. Configure the Azure Monitor agent to communicate using Log Analytics gateway

 

  • Add the configuration endpoint URL to fetch data collection rules to the allowlist for the gateway
  • Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com
  • Add-OMSGatewayAllowedHost -Host
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,662 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2023-05-24T11:39:07+00:00

    Agent terminology can be a bit confusing. Main thing is Azure Monitor Agent (AMA) is new. Log Analytics agent or Microsoft Monitoring Agent (MMA) is the legacy version.

    The new agent is the AMA. It is only available as an extension for servers (no stand-alone MSI/EXE installer). It can be deployed directly to Azure VMs and to servers using Azure Arc. This of Arc like WSUS for admin software. It allows Azure to deploy and manage a limited set of admin software and audit policies.

    The MMA is the older/legacy agent. Very similar to the SCOM agent. It will be phased out as a cloud-facing agent, August 2024. Customers should start migrating away from MMA early if possible.

    There is a special AMA workstations (win10-11). It can be installed as an MSI but only works on AAD joined devices.

    The gateway is an optional service to redirect AMA\MMA traffic. Basically, an agent designated to act as a proxy. Both AMA/MMA support this concept/service.

  2. David Broggy 6,371 Reputation points MVP Volunteer Moderator
    2023-05-24T18:31:20.1866667+00:00

    Hi Farhad,

    I may also have something to contribute to this conversation, check out my blog:

    https://simple-security.ca/2023/05/05/configuring-the-new-ama-and-arc-agent-to-forward-syslog-to-sentinel/

    Basically:
    the old OMS agent is out

    use DCR (data collection rule) and AMA (azure monitor agent).

    If it's an on-prem server vs. Azure, you'll need the Arc agent and AMA will be automatically pushed out when you set up your DCR.

    (additional note: If you need CEF for syslog there's a python script needed to push out and configure your syslog setup)

    Hopefully Andrew's comment about the gateway helps since that's the one piece I haven't used.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.