By Bala Murugesan, Microsoft Cloud Specialist, Data#3
In my previous blog post, I covered Azure Operations Management Suite (OMS) Log Analytics, which included the OMS overview, Architecture, and the list of solution packs and their functionalities. In this blog post, I will be covering how to setup OMS and also how to analyse and report on events through the Azure OMS Portal.
OMS is incredibly easy to configure if there is an existing Azure tenancy although, be careful to select the right settings in the new Portal (ARM) and not the classic items from the old ASM portal.
Create an OMS Workspace
|1. Login to the Azure Management Portal and Search for “Log Analytics (OMS)”.|
|2. Provide the appropriate details, including subscription, pay level and then create a workspace.|
Connect Azure Storage to OMS Log Analytics
Before on-boarding an Azure storage account to OMS, the diagnostic logs need to be enabled on the VM so that the logs are stored on the allocated blob storage. Follow this article for more information on how to configure this but the general settings are below:
|1. Browse to the OMS workspace on Azure portal. Click on the workspace – Settings – Storage and logs to point the OMS to the Storage locations where the VM diagnostics logs are stored.|
|2. Choose a previously created Azure storage account.|
|3. Choose the logs that you want to analyse and the source table will get selected based on the type of data that you wish to analyse.|
|4. Click ok to save the settings.|
Connect Azure Virtual Machine to OMS Log Analytics
To perform additional analysis, including configuration change tracking, SQL assessment and update assessment against VM’s, then head to the OMS dashboard and click on the Virtual machines blade.
|1. This will query the list of virtual machines present in the tenancy where the OMS is created.|
|2. Click on the Virtual machine that you want to connect to|
|3. Click the connect button to connect the VM to OMS which will install an agent on the VM and the flow of analytics will start to OMS.|
|4. It may take a couple of minutes to connect but once it is connected you are good to go.
Now browse to OMS Portal and start searching and analysing the logs to your heart’s content.
Lastly, it is worth mentioning the following dashboard that is part of the free OMS and shows the number of failed logins. Personally, I have configured an alert for this event every 15 minutes which works well and will let me know if anyone is trying to get into my tenant. This is not an instant alert though, considering the OMS logs needs to read the information from storage logs and report to the dashboard and then notify myself via email. It’s not instantaneous, but for a free package, it has plenty of potential and I would recommend setting this up wherever it is appropriate to give Azure administrators more visibility of their tenant.
That’s all for now. I hope you found my blog series useful. Feel free to reach out to me on LinkedIn if you would like to discuss any points mentioned.