Does the Azure monitor agent collect logs with default settings?

Oleksandr Romaniuk 465 Reputation points
2024-03-14T11:40:26.8133333+00:00

Hello!
I have the scope of Azure Arc-enabled servers (on-premise, not Azure VM). There are Azure monitor agents (AMA) installed, so I think that when AMA was deployed, then logs started to be sent to our workspace. I see on the Data collection rules tab (Data sources) - Windows Event Logs, but when I create a query to this workspace, there are no logs. I didn't configure it, it was all configured by default.

  1. So, do I need to configure something else to have logs from these Arc-enabled servers?
  2. How then to connect this to the SIEM Sentinel (to create alerts)?
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,788 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
318 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,186 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Will 420 Reputation points
    2024-03-14T22:28:39.0966667+00:00

    Assuming that you have no networking issues here, agent must be able to connect to:

    • global.handler.control.monitor.azure.com
    • <virtual-machine-region-name>.handler.control.monitor.azure.com (example: westus.handler.control.azure.com)
    • <log-analytics-workspace-id>.ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opinsights.azure.com)

    Nope, installation of an Azure Monitoring agent on an endpoint doesn't do anything by default. Microsoft loves this extra config crap. IMO ideally, you would just install, have a GUI to lead you through config on where to point the tenant and set ups these pieces for you but you'll need to:

    • Create a monitored object (MO) in Azure
    • Then associate the data collection rules (DCR) to the object

    Then there's all sorts of exceptions....

    • No standalone boxes
    • No laptops (or not ideal)