This post will show you how to deploy an Azure Log Analytics workspace so that you can prepare the foundation of monitoring machines and services both on-premises, in (any) the cloud, and in Azure.

Create a Workspace

All management and monitoring is done within an OMS workspace, which you will need to create. Open the Azure Portal, click More Services, enter Log Analytics (OMS), and click Add. In the new OMS Workspace blade you will need to do the following:

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Learn More

• Enter the desired name of the new workspace
• Select the Azure subscription
• Add the workspace to an existing resource group or create a new one (which is what I would do)
• Select the region in Azure that you want to create the workspace in
• Choose a pricing tier

• Free: Limited to 500MB of monitoring data being gathered per day and retaining up to 7 days of data
• Standard: Retaining up to 1 month of data
• Premium: Retaining up to 12 months of data

Your search for “OMS pricing” might also turn up a page that describes the pricing of the OMS add-on for System Center, which is a bundle of discounted Azure pricing.

For testing, proof of concept, and training, start with the Free tier. As your monitoring needs grow, you will start to gather more than 500MB of data per day. At that point, monitoring will stop until the next day starts and your monitoring resets to 0MB for that day. You can monitor the implementation to determine when you will need to upgrade to the Standard tier.

Exploring OMS

Once your workspace is created, browse into the object in the Portal. In this blade, you can see how many Azure storage account logs and virtual machines are being monitored by OMS. You can also see details for your tier, such as how much of the Free tier 500MB per day is available for the current day.

If you want to start monitoring, click Settings > Quick Create. Here you will find shortcuts to:

• Monitor Azure virtual machines or storage account logs
• Download an agent for machines outside of Azure — on-premises, in AWS, or anywhere with Internet connectivity
• Integrate System Center Operations Manager (SCOM) monitoring with OMS

The operational work of OMS is done in another portal called the OMS portal. You can find a link to your OMS portal by clicking the button in the workspace blade.

This is where you can do the following:

• Perform deep searches of gathered and retained data
• Create your own custom dashboard with your own insights into the environment
• Add solutions, the packs that add monitoring capabilities
• Track the usage of OMS to determine how much data is being gathered
• Configure the settings of OMS, including adding items to be monitored and enabling preview features