Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Arc
  3. Azure Arc-enabled Servers
  4. Monitoring

Table of Contents

  • Introduction
  • Azure Monitor Agent (AMA)
  • Data Collection Rules (DCRs)
    • DCR Overview
    • Security Operations Centers (SOC) team
    • Cost Management team
    • Linux Application Team
  • Dashboarding
    • Log Management
    • Update Management
    • Arc Management
    • Azure Monitor Workbook
  • Integrate with Microsoft Defender for Cloud (optional)
  • Integrate with Azure Sentinel (optional)
  • Success criteria
  • Resources

Monitoring

Configure the new Azure Monitor agent and Data Collection Rules. Optionally integrate with 'Microsoft Defender for Cloud' and Azure Sentinel.

Introduction

Azure Monitoring agent (AMA) is the next version of the monitoring agent deployed to guest operating systems and is now generally available.

In time it will replace the older monitoring agents known as the Log Analytics Agent (MMA), Diagnostics and Telegraf agent, but there are currently some gaps so it is common to install multiple agents to achieve the required functionality. The Azure Monitor agents overview details the current situation and is updated regularly as functionality is migrated over.

In this challenge, we will deploy the new agent. After the onboarding process, we will then utilise the new functionality of this agent.

Azure Monitor Agent (AMA)

  • Confirm the Azure Monitoring Agent is on our virtual machines via the Extensions pane

  • Confirm the virtual machine’s AMA agents are communicating to an Azure Monitor workspace

    Hint: query for the heartbeat

Note that you will be using CLI commands to install the agent rather than the portal or by using Azure Policy. There are Azure Policy and Initiative definitions to install the Azure Monitor Agent, but they do not currently cover Azure Arc VMs. Expect that to change soon.

Data Collection Rules (DCRs)

DCR Overview

One of the benefits of the AMA agent is the flexibility in data collection rules, which allow you to define which metrics or logs you want to send to which target, and then associate with different groups of servers including hybrid servers. Some of the policy initiatives will assign an identity, install the extension and associate with a DCR.

Here is an overview of the metric and log collection designed for the pilot.

DCRs

Security Operations Centers (SOC) team

You are part of the Security Operations Centers (SOC) team. You have access to the arc-pilot-soc

  • Set up a Data Collection Rule for all your Azure arc virtual machines to send their security logs to

  • (Optional) Validate the security logs are visible in the Log Analytics Workspace

    Hint: The linux security logs are:

    DCR

Cost Management team

You are part of the Cost Management team and performing an exercise on reducing costs.

  • Deploy a Data Collection Rule to collate the RAM usage data and % of free disk space for all VMs
  • (Optional) Produce a workbook showing the % utilisation of CPU, RAM and free disk space for all VMs

Linux Application Team

You are part of a Linux application team.

  • (Optional) Deploy a Data Collection Rule to collate any system errors and send to a Log Analytics Workspace
  • (Optional) Create an Azure Monitor Alert to notify the application team on an error

Dashboarding

As you go through this section, note the queries you use.

Log Management

Produce a query to highlight which machines are reporting to the Log Analytics Workspace.

Update Management

Produce a query to highlight which machines require updates. (N.B. you will need to use summarize and arg_max)

Arc Management

Produce a query highlighting if our estate is compliant with the Virtual Machine extensions. (N.B. you will need to use Azure Resource Graph)

Azure Monitor Workbook

Create an Azure Monitor Workbook showcasing your KQL queries. Feel free to use graphs or charts.

Azure Monitor Workbook

Integrate with Microsoft Defender for Cloud (optional)

  • Enable ‘Microsoft Defender for Cloud’ on your Azure Arc connected machines

Integrate with Azure Sentinel (optional)

  • Enable Azure Sentinel on your Azure Arc connected machines by configuring the Log Analytics agent to forward events to Azure Sentinel such as Common Event Format (CEF) or Syslog

Success criteria

Screen share with your proctor to show that you achieved:

  1. Azure Monitor Agent (AMA) is reporting heartbeat to your Log Analytics workspace
  2. Data Collection Rules are defined and associated correctly with the resources
  3. Data is being gathered from the Azure Arc-enabled machines

Optional:

  1. Open ‘Microsoft Defender for Cloud’ and view the Secure Score for your Azure arc connected machine
  2. From Azure Sentinel, view collected events from your Azure Arc connected machine

Resources

  • Azure Monitoring Agent
  • Data Collection Rule
  • Azure Monitor Workbook Visualizations
  • Create, view, and manage log alerts using Azure Monitor
  • Connect your non-Azure machines to Security Center
Inventory Monitoring SSH