Configure the new Azure Monitor agent and Data Collection Rules. Optionally integrate with Azure Security Center and Azure Sentinel.



Azure Monitoring agent (AMA) is the next version of the monitoring agent deployed to guest operating systems and is now generally available.

In time it will replace the older monitoring agents known as the Log Analytics Agent (MMA), Diagnostics and Telegraf agent, but there are currently some gaps so it is common to install multiple agents to achieve the required functionality. The Azure Monitor agents overview details the current situation and is updated regularly as functionality is migrated over.

In this challenge, we will deploy the new agent. After the onboarding process, we will then utilise the new functionality of this agent.

Azure Monitor Agent (AMA)

  • Deploy the Azure Monitoring Agent to our virtual machines via your preferred CLI

  • Confirm the virtual machine’s AMA agents are communicating to an Azure Monitor workspace

    Hint: query for the heartbeat

Note that you will be using CLI commands to install the agent rather than the portal or by using Azure Policy. There are Azure Policy and Initiative definitions to install the Azure Monitor Agent, but they do not currently cover Azure Arc VMs. Expect that to change soon.

Data Collection Rules (DCRs)

DCR Overview

One of the benefits of the AMA agent is the flexibility in data collection rules, which allow you to define which metrics or logs you want to send to which target, and then associate with different groups of servers including hybrid servers. Some of the policy initiatives will assign an identity, install the extension and associate with a DCR.

Here is an overview of the metric and log collection designed for the pilot.


Security Operations Centers (SOC) team

You are part of the Security Operations Centers (SOC) team. You have access to the arc-pilot-soc

  • Set up a Data Collection Rule for all your Azure arc virtual machines to send their security logs to

  • (Optional) Validate the security logs are visible in the Log Analytics Workspace

    Hint: The linux security logs are:


Cost Management team

You are part of the Cost Management team and performing an exercise on reducing costs.

  • Deploy a Data Collection Rule to collate the RAM usage data and % of free disk space for all VMs
  • (Optional) Produce a workbook showing the % utilisation of CPU, RAM and free disk space for all VMs

Linux Application Team

You are part of a Linux application team.

  • (Optional) Deploy a Data Collection Rule to collate any system errors and send to a Log Analytics Workspace
  • (Optional) Create an Azure Monitor Alert to notify the application team on an error

Integrate with Azure Security Center

  • Enable Azure Security Center on your Azure Arc connected machines

Integrate with Azure Sentinel

  • Enable Azure Sentinel on your Azure Arc connected machines by configuring the Log Analytics agent to forward events to Azure Sentinel such as Common Event Format (CEF) or Syslog

Success criteria

Screen share with your proctor to show that you achieved:

  1. Azure Monitor Agent (AMA) is reporting heartbeat to your Log Analytics workspace
  2. Data Collection Rules are defined and associated correctly with the resources
  3. Data is being gathered from the Azure Arc-enabled machines
  4. Open Azure Security Center and view the Secure Score for your Azure arc connected machine
  5. From Azure Sentinel, view collected events from your Azure Arc connected machine


Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

Make a change