Forum Discussion
AMA vs MMA which one should we go ahead???
Hello there,
we have an issue with one of the Azure sentinel clients, where the cost has considerably increased due to a particular Event ID generating alot of traffic.
Event ID 4663: At...
Hello,
Regarding Windows Events Collection, AMA considered stable. You can take advantage of its filtering capabilities by using custom XPATH queries in order to filter out specific Event IDs. In Microsoft Sentinel Data Connector for Security Events with MMA has renamed to "Security Events via Legacy Agent". So as you understand in the near future MMA will be replaced with AMA.
However if we are talking about custom log collection and other capabilities like AMA to listen to specific port, the support is limited.
Cannot use the Log Analytics solutions in production (only available in preview, see what's supported).
No support yet for networking scenarios involving private links.
No support yet collecting custom logs (files) or IIS log files.
No support yet for Event Hubs and Storage accounts as destinations.
No support for Hybrid Runbook workers.
Finally, the AMA is automatically installed as an extension to Azure VMs (or Azure Arc-enabled servers) after you deploying a new Data Collection Rule (DCR) to Azure Monitor (or through Sentinel Data Connector). There is no installation package for AMA.
Regards,
Greg
Regarding Windows Events Collection, AMA considered stable. You can take advantage of its filtering capabilities by using custom XPATH queries in order to filter out specific Event IDs. In Microsoft Sentinel Data Connector for Security Events with MMA has renamed to "Security Events via Legacy Agent". So as you understand in the near future MMA will be replaced with AMA.
However if we are talking about custom log collection and other capabilities like AMA to listen to specific port, the support is limited.
Cannot use the Log Analytics solutions in production (only available in preview, see what's supported).
No support yet for networking scenarios involving private links.
No support yet collecting custom logs (files) or IIS log files.
No support yet for Event Hubs and Storage accounts as destinations.
No support for Hybrid Runbook workers.
Finally, the AMA is automatically installed as an extension to Azure VMs (or Azure Arc-enabled servers) after you deploying a new Data Collection Rule (DCR) to Azure Monitor (or through Sentinel Data Connector). There is no installation package for AMA.
Regards,
Greg
thank you for the quick and detailed response. I would specifically like to know the following:
- AMA can co-exist with MMA however, we will receive two heartbeats from one endpoint, one for each agent
- AMA will also collect logs and MMA as well, so rather than reducing logs, we will be having more logs coming in. So do we need to uninstall MMA to ensure the above two concerns are addressed (two heartbeats and duplicate logs)??????
- I have customer who already has MMA installed and I cannot just ask him to uninstall all the MMA agents and install AMA agents from scratch? any easy resolution for this problem?
If you can shed some light on these, it would be great.
Thanks
Fahad
- You don't care about Heartbeat. You have 2 agents installed so you receive 2 different "heartbeats". You can separate them from the "Version" column. Customer doesn't needed to uninstall the MMAs. Just go to Log Analytics Workspace --> Agents configuration and disable the Windows event logs log collection. So your collection now will be based only at AMA-DCR.