MicrosoftGregorySuvalian Yes it's https://azure.microsoft.com/en-us/updates/general-availability-azure-monitor-agent-and-data-collection-rules-now-support-direct-proxies-and-log-analytics-gateway/, and they've even announced that the old agent is getting https://azure.microsoft.com/en-us/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/, but I'm holding off for now; The old agent is used for the Azure Updates solution in the automation account, and if you have AMA, then you don't have updating (yet, new solution is coming). Next, if you have both old and new agent, you'll end up with ingesting logs twice. Also Security Center afaik is still in private preview. Then there's an annoyance in the Linux version of the new agent that if you monitor disks, you can't monitor "*", because it then just monitors total disk space of all disks combined (_Total), instead of each disk individually.
I'm sure all of this will be ironed out in the future, and the potential is enormous. Azure Policy based setting of monitoring (which can make it granular), and possibility to send metric data to the Azure Metrics instead of Log Analytics and granular filtering of what you want to ingest in Eventlogs are awesome!
Pierre_Roman I would still try to keep all my logs on the same workspace, even if I have VMs in multiple regions. Azure Security Center just handles a single workspace that you can select. You *can* have multiple workspaces, but then you get ugly automatic naming, or you can get something with your own naming convention via an API call to set the workspace, but then the gui in ASC just tells you with a nice warning that you can only manage the continuous export using API now (I set ASC to continous export so I can have the protectionstatus table, which is where the Antimalware agent writes its data to, so I can get info on whether the VM is updating its antimalware definitions).
