Forum Discussion
Find Virtual Machines Not Connected to Log Analytics Agent?
Nevermind! Actually found this out myself doing some more research.
AzureActivity | where TimeGenerated > ago(24h)
| where SubscriptionId contains "SUB ID HERE ")
| where ResourceId contains "virtualmachines"
| distinct Resource |
join kind= leftanti
(Heartbeat * | distinct Computer) on $left.Resource == $right.Computer
Nevermind! Actually found this out myself doing some more research.
AzureActivity | where TimeGenerated > ago(24h)
| where SubscriptionId contains "SUB ID HERE ")
| where ResourceId contains "virtualmachines"
| distinct Resource |
join kind= leftanti
Not sure if I understand the logic of the solution or may be I do not understand the request. The Azure activity log is generated only when there is some action on the VMs. So if you have a VMs that did not have any action they will not appear in you azure activity log thus not in the query as well no matter if they are connected to Log Analytics or not. Best way to achieve this is probably using Azure Resource Graph. Resource graph uses the same query language as Log Analytics - Kusto. From there you can get all VMs and compare the results to Log Analytics data. The downside is that you cannot do this with single query you will have to extract the results from those services and do comparison in another language like PowerShell or Python. You can also extract the results from Resource Graph and feed them to the query in Log Analytics as well.
We use computer groups in the query so you should see also computer in the output if never connected in general or in special time frame..
- Noa Kuperberg
Microsoft
Great solution, thanks for sharing!
