Forum Discussion
AMA vs MMA which one should we go ahead???
Hello there,
we have an issue with one of the Azure sentinel clients, where the cost has considerably increased due to a particular Event ID generating alot of traffic.
Event ID 4663: Attempt to access an object” has highest count of “8263330” within 24 hours
We dont want to just filter out this event all togather since this event ID is important specially for monitoring of OS level executables which at times attackers exploit/misuse.
Going through the documentation, I see that AMA has capability to filter the event IDs using the XPath queries. I went through one of the blog post that says that when using AMA instead of MMA, we need to consider below:
- AMA can co-exist with MMA however, we will receive two heartbeats from one endpoint, one for each agent
- AMA will also collect logs and MMA as well, so rather than reducing logs, we will be having more logs coming in.
- I have customer who already has MMA installed and I cannot just ask him to uninstall all the MMA agents and install AMA agents from scratch? any easy resolution for this problem?
We have new customers coming in and I dont want to end up in the same situation, so shall we start using AMA agent, is it stable enough as compared to MMA? or recommended by Microsoft to move ahead instead of MMA.?
I dont see AMA agent installed within sentinel portal, only MMA is there. so from where can i download this??
I need answers on the above queries, any help will be much appreciated?
Thanks
Fahad.
In case you haven’t heard there’s a new agent in town. Its called the Azure Monitor Agent (AMA), this agent is brand new, re-written from the ground up and is going to replace the Microsoft Monitoring Agent (MMA) currently used by Log Analytics. This post will serve as both informational and opinion about the new agent. The new AMA is Generally Available, which means it is supported by Microsoft. Does that mean you should migrate to it? This first thing we need to talk about before getting into migration is Data Collection Rules.
Data Collection Rules
DCRs for short, represent a wholesale change in how our agents do data collection. Where Performance and Event logs were Log Analytics workspace wide with MMA, DCRs are super granular with the new Azure Monitor Agent. Have a single special Event Log on a specific server you want to collect? We can do that now without collecting it from any other servers. Want to collect Event Logs for all production Hyper-V hosts, we can do that with a DCR now. Want to only collect CPU performance metrics for 5 servers? Again relatively easy with a DCR. This will help save on some costs in your data collection, if done correctly. As you will no longer be collecting Performance Metrics and Event Logs workspace wide. You can of course do that if you want, as well. However, this does represent a change that you will have to spend some time investigating how to incorporate into your monitoring scenario.
- Hello,
Regarding Windows Events Collection, AMA considered stable. You can take advantage of its filtering capabilities by using custom XPATH queries in order to filter out specific Event IDs. In Microsoft Sentinel Data Connector for Security Events with MMA has renamed to "Security Events via Legacy Agent". So as you understand in the near future MMA will be replaced with AMA.
However if we are talking about custom log collection and other capabilities like AMA to listen to specific port, the support is limited.
Cannot use the Log Analytics solutions in production (only available in preview, see what's supported).
No support yet for networking scenarios involving private links.
No support yet collecting custom logs (files) or IIS log files.
No support yet for Event Hubs and Storage accounts as destinations.
No support for Hybrid Runbook workers.
Finally, the AMA is automatically installed as an extension to Azure VMs (or Azure Arc-enabled servers) after you deploying a new Data Collection Rule (DCR) to Azure Monitor (or through Sentinel Data Connector). There is no installation package for AMA.
Regards,
Gregthank you for the quick and detailed response. I would specifically like to know the following:
- AMA can co-exist with MMA however, we will receive two heartbeats from one endpoint, one for each agent
- AMA will also collect logs and MMA as well, so rather than reducing logs, we will be having more logs coming in. So do we need to uninstall MMA to ensure the above two concerns are addressed (two heartbeats and duplicate logs)??????
- I have customer who already has MMA installed and I cannot just ask him to uninstall all the MMA agents and install AMA agents from scratch? any easy resolution for this problem?
If you can shed some light on these, it would be great.
Thanks
Fahad
- You don't care about Heartbeat. You have 2 agents installed so you receive 2 different "heartbeats". You can separate them from the "Version" column. Customer doesn't needed to uninstall the MMAs. Just go to Log Analytics Workspace --> Agents configuration and disable the Windows event logs log collection. So your collection now will be based only at AMA-DCR.
