Migrate to Azure Monitor Agent from Log Analytics agent

Article
05/02/2023

Azure Monitor Agent (AMA) replaces the Log Analytics agent (also known as MMA and OMS) for Windows and Linux machines, in Azure and non-Azure environments, including on-premises and third-party clouds. The agent introduces a simplified, flexible method of configuring data collection using data collection rules (DCRs). This article provides guidance on how to implement a successful migration from the Log Analytics agent to Azure Monitor Agent.

Important

The Log Analytics agent will be retired on August 31, 2024. After this date, Microsoft will no longer provide any support for the Log Analytics agent. If you're currently using the Log Analytics agent with Azure Monitor or other supported features and services, start planning your migration to Azure Monitor Agent by using the information in this article.

Benefits

In addition to consolidating and improving on the legacy Log Analytics agents, Azure Monitor Agent provides a variety of immediate benefits, including cost savings, a simplified management experience, and enhanced security and performance.

Migration guidance

Before you begin migrating from the Log Analytics agent to Azure Monitor Agent, review the checklist below.

Before you begin

Check the prerequisites for installing Azure Monitor Agent.
To monitor non-Azure and on-premises servers, you must install the Azure Arc agent. You won't incur an additional cost for installing the Azure Arc agent and you don't necessarily need to use Azure Arc to manage your non-Azure virtual machines.
Understand your current needs.
Use the Workspace overview tab of the AMA Migration Helper to see connected agents and discover solutions enabled on your Log Analytics workspaces that use legacy agents, including per-solution migration recommendations.
Verify that Azure Monitor Agent can address all of your needs.
Azure Monitor Agent is generally available for data collection and is used for data collection by various Azure Monitor features and other Azure services. For details, see Supported services and features.
Consider installing Azure Monitor Agent together with a legacy agent for a transition period.
Run Azure Monitor Agent alongside the legacy Log Analytics agent on the same machine to continue using existing functionality during evaluation or migration. Keep in mind that running two agents on the same machine doubles resource consumption, including but not limited to CPU, memory, storage space, and network bandwidth.
- If you're setting up a new environment with resources, such as deployment scripts and onboarding templates, install Azure Monitor Agent together with a legacy agent in your new environment to decrease the migration effort later.
- If you have two agents on the same machine, avoid collecting duplicate data.
  Collecting duplicate data from the same machine can skew query results, affect downstream features like alerts, dashboards, and workbooks, and generate extra charges for data ingestion and retention.
  To avoid data duplication:
  - Configure the agents to send the data to different workspaces or different tables in the same workspace.
  - Disable duplicate data collection from legacy agents by removing the workspace configurations.
  - Defender for Cloud natively deduplicates data when you use both agents, and you'll be billed once per machine when you run the agents side by side.
  - For Sentinel, you can easily disable the legacy connector to stop ingestion of logs from legacy agents.

Migration steps

Flow diagram that shows the steps involved in agent migration and how the migration tools help in generating DCRs and tracking the entire migration process.

Use the DCR generator to convert your legacy agent configuration into data collection rules automatically.¹

Review the generated rules before you create them, to leverage benefits like filtering, granular targeting (per machine), and other optimizations. There are special steps needed to migrate MMA custom logs to AMA custom logs
Test the new agent and data collection rules on a few nonproduction machines:
1. Deploy the generated data collection rules and associate them with a few machines, as described in Installing and using DCR Config Generator.
  
  To avoid double ingestion, you can disable data collection from legacy agents during the testing phase without uninstalling the agents yet, by removing the workspace configurations for legacy agents.
2. Compare the data ingested by Azure Monitor Agent with legacy agent data to ensure there are no gaps. You can do this on any table by using the join operator to add the Category column from the Heartbeat table, which indicates Azure Monitor Agent for data collected by the Azure Monitor Agent.
  
  For example, this query adds the Category column from the Heartbeat table to data retrieved from the Event table:
```
Heartbeat
| distinct Computer, SourceComputerId, Category
| join kind=inner (
    Event
| extend d=parse_xml(EventData)
    | extend sourceHealthServiceId = tostring(d.DataItem.["@sourceHealthServiceId"])
    | project-reorder TimeGenerated, Computer, EventID, sourceHealthServiceId, ParameterXml, EventData
    ) on $left.SourceComputerId==$right.sourceHealthServiceId
| project TimeGenerated, Computer, Category, EventID, sourceHealthServiceId, ParameterXml, EventData
```
Use built-in policies to deploy extensions and DCR associations at scale. Using policy also ensures automatic deployment of extensions and DCR associations for new machines.³

Use the AMA Migration Helper to monitor the at-scale migration across your machines.
Validate that Azure Monitor Agent is collecting data as expected and all downstream dependencies, such as dashboards, alerts, and workbooks, function properly:
1. Look at the Overview and Usage tabs of Log Analytics Workspace Insights for spikes or dips in ingestion rates following the migration. Check both the overall workspace ingestion and the table-level ingestion rates.
2. Check your workbooks, dashboards, and alerts for variances from typical behavior following the migration.
Clean up: After you confirm that Azure Monitor Agent is collecting data properly, disable or uninstall the legacy Log Analytics agents.
- If you have need to continue using both agents, disable data collection with the Log Analytics agent.
- If you've migrated to Azure Monitor Agent for all your requirements, uninstall the Log Analytics agent from monitored resources. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent. Continue using the legacy Log Analytics for features and solutions that Azure Monitor Agent doesn't support.
- Don't uninstall the legacy agent if you need to use it to upload data to System Center Operations Manager.

¹ The DCR generator only converts the configurations for Windows event logs, Linux syslog and performance counters. Support for more features and solutions will be available soon
² You might need to deploy extensions required for specific solutions in addition to the Azure Monitor Agent extension.

Migrate additional services and features

Azure Monitor Agent is generally available for data collection.

Most services that used Log Analytics agent for data collection are migrating to Azure Monitor Agent.

The following features and services now use Azure Monitor Agent in preview. This means you can already choose to use Azure Monitor Agent to collect data when you enable the feature or service; otherwise, the Log Analytics agent is still enabled by default.

Service or feature	Migration recommendation	Other extensions installed	More information
VM insights	Public preview with Azure Monitor Agent	Dependency Agent extension, if you’re using the Map Services feature	Enable VM Insights
Container insights	Public preview with Azure Monitor Agent	Containerized Azure Monitor agent	Enable Container Insights
Microsoft Defender for Cloud	Public preview with Azure Monitor Agent	Azure Security Agent extension SQL Advanced Threat Protection extension SQL Vulnerability Assessment extension	Auto-deployment of Azure Monitor Agent (Preview)
Microsoft Sentinel	Windows Security Events: Generally available Windows Forwarding Event (WEF): Public preview with Azure Monitor Agent Windows DNS logs: Public preview with Azure Monitor Agent Linux Syslog CEF: Public preview with Azure Monitor Agent	Sentinel DNS extension, if you’re collecting DNS logs. For all other data types, you just need the Azure Monitor Agent extension.	See Gap analysis for Microsoft Sentinel for a comparison of the extra data collected by Microsoft Sentinel.
Change Tracking and Inventory Management	Public preview with Azure Monitor Agent	Change Tracking extension	Change Tracking and Inventory using Azure Monitor Agent
Network Watcher	Connection Monitor: Public preview with Azure Monitor Agent	Azure NetworkWatcher extension	Monitor network connectivity by using Azure Monitor Agent
Azure Stack HCI Insights	Private preview	No other extension installed	Sign up here
Azure Virtual Desktop (AVD) Insights	Private preview	No other extension installed	Sign up here

Note

Features and services listed above in preview may not be available in Azure Government and China clouds. They will be available typically within a month after the features/services become generally available.

When you migrate the following services, which currently use Log Analytics agent, to their respective replacements (v2), you no longer need either of the monitoring agents:

Service	Migration recommendation	Other extensions installed	More information
Update Management	Update Management Center - Public preview (no dependency on Log Analytics agents or Azure Monitor Agent)	None	Update management center (Public preview with Azure Monitor Agent) documentation
Automation Hybrid Runbook Worker overview	Automation Hybrid Worker Extension - Generally available (no dependency on Log Analytics agents or Azure Monitor Agent)	None	Migrate an existing Agent based to Extension based Hybrid Workers

Next steps

For more information, see: