SOLVED
Home

Find Virtual Machines Not Connected to Log Analytics Agent?

%3CLINGO-SUB%20id%3D%22lingo-sub-306897%22%20slang%3D%22en-US%22%3EFind%20Virtual%20Machines%20Not%20Connected%20to%20Log%20Analytics%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306897%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20run%20into%20another%20issue%20in%20regards%20to%20Log%20Analytics.%20I'd%20like%20to%20query%20all%20the%20virtual%20machines%20inside%20a%20certain%20subscription%20and%20determine%20if%20they%20are%20not%20joined%20or%20not%20to%20log%20analytics.%20Anything%20not%20joined%20will%20then%20be%20placed%20into%20a%20list.%20After%20doing%20some%20reason%20and%20digging%2C%20I%20cannot%20find%20a%20way%20to%20query%20Azure%20machine%20names%20unless%20they%20are%20connected%20to%20log%20analytics.%20I'd%20believe%20there%20would%20be%20some%20kind%20of%20way%20to%20do%20this%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20was%20what%20I%20was%20thinking%20in%20regards%20to%20the%20query%20that%20should%20work%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%20%7C%20where%20(SubscriptionId%20contains%20%22SubscriptionID%22%20or%20contains%20%22SubscriptionID%22)%20%7C%20Distinct%20Computer%20%7C%20join%20type%3Dleftouter%20(%3C%2FP%3E%3CP%3ECode%20Here%20that%20grabs%20all%20all%20virtual%20machines%20that%20have%20been%20made%20in%20Azure%20%7C%20Distinct%20Computer%3C%2FP%3E%3CP%3E)%20on%20%24left.Computer%20%3D%3D%20%24right.Computer%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20provide%20assistance%20to%20me%20on%20this%3F%20I%20was%20here%20a%20couple%20of%20weeks%20ago%20and%20someone%20provided%20me%20with%20some%20great%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-306897%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowershell%20and%20Rest%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-579755%22%20slang%3D%22en-US%22%3ERe%3A%20Find%20Virtual%20Machines%20Not%20Connected%20to%20Log%20Analytics%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-579755%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20computer%20groups%20in%20the%20query%20so%20you%20should%20see%20also%26nbsp%3B%20computer%20in%20the%20output%20if%20never%20connected%20in%20general%20or%20in%20%26nbsp%3Bspecial%20time%20frame..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309578%22%20slang%3D%22en-US%22%3ERe%3A%20Find%20Virtual%20Machines%20Not%20Connected%20to%20Log%20Analytics%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309578%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20if%20I%20understand%20the%20logic%20of%20the%20solution%20or%20may%20be%20I%20do%20not%20understand%20the%20request.%20The%20Azure%20activity%20log%20is%20generated%20only%20when%20there%20is%20some%20action%20on%20the%20VMs.%20So%20if%20you%20have%20a%20VMs%20that%20did%20not%20have%20any%20action%20they%20will%20not%20appear%20in%20you%20azure%20activity%20log%20thus%20not%20in%20the%20query%20as%20well%20no%20matter%20if%20they%20are%20connected%20to%20Log%20Analytics%20or%20not.%20Best%20way%20to%20achieve%20this%20is%20probably%20using%20Azure%20Resource%20Graph.%20Resource%20graph%20uses%20the%20same%20query%20language%20as%20Log%20Analytics%20-%20Kusto.%20From%20there%20you%20can%20get%20all%20VMs%20and%20compare%20the%20results%20to%20Log%20Analytics%20data.%20The%20downside%20is%20that%20you%20cannot%20do%20this%20with%20single%20query%20you%20will%20have%20to%20extract%20the%20results%20from%20those%20services%20and%20do%20comparison%20in%20another%20language%20like%20PowerShell%20or%20Python.%20You%20can%20also%20extract%20the%20results%20from%20Resource%20Graph%20and%20feed%20them%20to%20the%20query%20in%20Log%20Analytics%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-307042%22%20slang%3D%22en-US%22%3ERe%3A%20Find%20Virtual%20Machines%20Not%20Connected%20to%20Log%20Analytics%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-307042%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20solution%2C%20thanks%20for%20sharing!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-306899%22%20slang%3D%22en-US%22%3ERe%3A%20Find%20Virtual%20Machines%20Not%20Connected%20to%20Log%20Analytics%20Agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306899%22%20slang%3D%22en-US%22%3E%3CP%3ENevermind!%20Actually%20found%20this%20out%20myself%20doing%20some%20more%20research.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzureActivity%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FP%3E%3CP%3E%7C%20where%26nbsp%3B%3CSPAN%3ESubscriptionId%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%26nbsp%3B%22SUB%20ID%20HERE%20%22%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20ResourceId%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22virtualmachines%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Edistinct%3C%2FSPAN%3E%3CSPAN%3E%20Resource%20%7C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Ejoin%3C%2FSPAN%3E%3CSPAN%3E%20kind%3D%20leftanti%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E(%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BHeartbeat%20*%20%7C%20distinct%20Computer%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E)%20%3C%2FSPAN%3E%3CSPAN%3Eon%3C%2FSPAN%3E%20%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3Eleft.Resource%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3Eright.Computer%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
envyforme
New Contributor

Hello! 

 

I've run into another issue in regards to Log Analytics. I'd like to query all the virtual machines inside a certain subscription and determine if they are not joined or not to log analytics. Anything not joined will then be placed into a list. After doing some reason and digging, I cannot find a way to query Azure machine names unless they are connected to log analytics. I'd believe there would be some kind of way to do this correct?

 

Here was what I was thinking in regards to the query that should work:

 

Heartbeat | where (SubscriptionId contains "SubscriptionID" or contains "SubscriptionID") | Distinct Computer | join type=leftouter (

Code Here that grabs all all virtual machines that have been made in Azure | Distinct Computer

) on $left.Computer == $right.Computer

 

Can someone provide assistance to me on this? I was here a couple of weeks ago and someone provided me with some great help.

 

 

 

4 Replies
Highlighted
Solution

Nevermind! Actually found this out myself doing some more research.

 

AzureActivity | where TimeGenerated > ago(24h)

| where SubscriptionId contains "SUB ID HERE ")

| where ResourceId contains "virtualmachines"

| distinct Resource |

join kind= leftanti

(
         Heartbeat * | distinct Computer 
) on $left.Resource == $right.Computer

Great solution, thanks for sharing!

Not sure if I understand the logic of the solution or may be I do not understand the request. The Azure activity log is generated only when there is some action on the VMs. So if you have a VMs that did not have any action they will not appear in you azure activity log thus not in the query as well no matter if they are connected to Log Analytics or not. Best way to achieve this is probably using Azure Resource Graph. Resource graph uses the same query language as Log Analytics - Kusto. From there you can get all VMs and compare the results to Log Analytics data. The downside is that you cannot do this with single query you will have to extract the results from those services and do comparison in another language like PowerShell or Python. You can also extract the results from Resource Graph and feed them to the query in Log Analytics as well.

We use computer groups in the query so you should see also  computer in the output if never connected in general or in  special time frame..

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies