Editja

Ixxerja permezz ta’


Collect data with Azure Monitor Agent

Azure Monitor agent (AMA) is used to collect data from Azure virtual machines, Virtual Machine scale sets, and Arc-enabled servers. Data collection rules (DCR) define the data to collect from the agent and where that data should be sent. This article describes how to use the Azure portal to create a DCR to collect different types of data and install the agent on any machines that require it.

If you're new to Azure Monitor or have basic data collection requirements, then you may be able to meet all of your requirements using the Azure portal and the guidance in this article. If you want to take advantage of additional DCR features such as transformations, then you may need to create a DCR using other methods or edit it after creating it in the portal. You can also use different methods to manage DCRs and create associations if you want to deploy using CLI, PowerShell, ARM templates, or Azure Policy.

Note

To send data across tenants, you must first enable Azure Lighthouse.

Warning

The following cases may collect duplicate data which may result in additional charges.

  • Creating multiple DCRs with the same data source and associating them to the same agent. Ensure that you're filtering data in the DCRs such that each collects unique data.
  • Creating a DCR that collects security logs and enabling Sentinel for the same agents. In this case, you may collect the same events in the Event table and the SecurityEvent table.
  • Using both the Azure Monitor agent and the legacy Log Analytics agent on the same machine. Limit duplicate events to only the time when you transition from one agent to the other.

Data sources

The table below lists the types of data you can currently collect with the Azure Monitor Agent and where you can send that data. The link for each is to an article describing the details of how to configure that data source. Follow this article to create the DCR and assign it to resources, and then follow the linked article to configure the data source.

Data source Description Client OS Destinations
Windows events Information sent to the Windows event logging system, including sysmon events. Windows Log Analytics workspace
Performance counters Numerical values measuring performance of different aspects of operating system and workloads. Windows
Linux
Azure Monitor Metrics (Preview)
Log Analytics workspace
Syslog Information sent to the Linux event logging system. Linux Log Analytics workspace
Text log Information sent to a text log file on a local disk. Windows
Linux
Log Analytics workspace
JSON log Information sent to a JSON log file on a local disk. Windows
Linux
Log Analytics workspace
IIS logs Internet Information Service (IIS) logs from the local disk of Windows machines Windows Log Analytics workspace

Note

Azure Monitor Agent also supports Azure service SQL Best Practices Assessment which is currently Generally available. For more information, refer Configure best practices assessment using Azure Monitor Agent.

Prerequisites

Overview

When you create a DCR in the Azure portal, you're walked through a series of pages to provide the information needed to collect data from the machines you specify. The following table describes the information you need to provide on each page.

Section Description
Resources Machines that will use the DCR. When you add a machine to the DCR, it creates a data collection rule association (DCRA) between the machine and the DCR. You can edit the DCR to add or remove machines after it's created.
Data source The type of data to collect from the machine. The list of available data sources are listed above in Data sources. Each data source has its own configuration settings and potentially prerequisites, so see the individual article for each for details.
Destination Destination where the data collected from the data source should be sent. If you have multiple data sources in the DCR, they can be sent to separate destinations, and data from a single data source may be sent to multiple destinations. See the article for each data source for more details about their destination such as the table in the Log Analytics workspace.

For detailed steps on how to create a DCR using the Azure portal, see Create data collection rules.

Verify operation

Once you've created a DCR and associated it with a machine, you can verify that the agent is operational and that data is being collected by running queries in the Log Analytics workspace.

Verify agent operation

Verify that the agent is operational and communicating properly by running the following query in Log Analytics to check if there are any records in the Heartbeat table. A record should be sent to this table from each agent every minute.

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer has "<computer name>"
| project TimeGenerated, Category, Version
| order by TimeGenerated desc

Verify that records are being received

It will take a few minutes for the agent to be installed and start running any new or modified DCRs. You can then verify that records are being received from each of your data sources by checking the table that each writes to in the Log Analytics workspace. For example, the following query checks for Windows events in the Event table.

Event
| where TimeGenerated > ago(48h)
| order by TimeGenerated desc

Troubleshooting

Go through the following steps if you aren't collecting data that you're expecting.

  • Verify that the agent is installed and running on the machine.
  • See the Troubleshooting section of the article for the data source you're having trouble with.
  • See Monitor and troubleshoot DCR data collection in Azure Monitor to enable monitoring for the DCR.
    • View metrics to determine if data is being collected and whether any rows are being dropped.
    • View logs to identify errors in the data collection.

Next steps