Deploy OMS Monitoring to Azure Virtual Machines

In this post I will show you two ways to deploy Azure Log Analytics (OMS) monitoring to Azure virtual machine, and to some of the services running in those machines.

Monitor Virtual Machine Logs

The first method that I am showing you is possible, but not optimal. You can configure Azure virtual machines to write the logs of some services to a storage account. OMS is capable of gathering the logs listed below that originated from a virtual machine from a storage account:

  • Linux Syslog: Logs from a Linux guest OS.
  • Windows Event: Classic logs from a Windows guest OS.
  • IIS Log: Logs generated by IIS in a Windows guest OS
  • Windows ETWEvent: Logging that a developer can enable.

This capability means that instead of trying to troubleshoot applications, such as a website that is load balanced across many machines, on one machine at a time, you have a central repository of log data that you can query or create alerts from.
I will need a storage account to store my log data. You could reuse the storage account that the virtual machines are stored in, but I prefer to create a dedicated storage account in a systems management resource group. I have created a general purpose storage account on standard storage in a resource group called rg-sysmgmt-01. This storage account will store all log data from virtual machines in the same region.
The virtual machines must be configured to write their logs to this storage account. Open the settings of your virtual machines and browse to Diagnostics. Make sure the status is set to On. Click Storage Account and select the storage account that you have created for the purpose of storing diagnostics data. Then select the logs from the guest OS that you want to write to this storage account. The screen shot below shows an example of a Windows Server virtual machine. Save the settings and repeat this process with every other machine that you want to gather logs from.

 Configure the Azure virtual machines to write logs to the storage account [Image Credit: Aidan Finn]

Configure the Azure virtual machines to write logs to the storage account [Image Credit: Aidan Finn]
The next step is to configure Log Analytics (OMS) to gather logs from those storage accounts. Open the settings of your OMS instance and browse to Storage Account Logs. Here you can create an entry for each type of log that you can gather. Note that many elements of Azure can write logs to a storage account, not just virtual machines. This post is focusing on virtual machines, so I am going to gather IIS Logs and Events. Therefore, I will create two entries under Storage Account Logs.

Click Add and select the storage account that your logs are being written to. Under Data Type, select IIS Logs and click OK. Click Add again, select the storage account again, and select Events under Data Type. OMS is now configured to gather those two types of logs from the diagnostics-enabled virtual machines.
Note that Microsoft recommends using the Log Analytics VM extension for deeper insight into Windows and Linux logs. That’s what we’ll look at next.

Monitor Virtual Machines by Extension

You can monitor Azure virtual machines using the Log Analytics VM extension; this is an agent that is deployed to the virtual machine from your OMS instance or workspace.
To deploy the extension, browse to Virtual Machines in the settings of the Log Analytics (OMS) instance. Here you can see each of the virtual machines that your OMS workspace can monitor. You can filter this list if you have a lot of virtual machines.
Select a virtual machine; this opens a new blade where you can click Connect to enable monitoring for this virtual machine. You don’t need to stay on this blade to wait for the connection process to complete. Repeat this for every virtual machine.

Azure virtual machines being monitored by Log Analytics (OMS) {Image Credit: Aidan Finn]
Azure virtual machines being monitored by Log Analytics (OMS) {Image Credit: Aidan Finn]

A few minutes later, the virtual machines will switch to a Connected state in your workspace, meaning that the machines are now monitored by OMS.