With the deprecation of Log analytics agent (also called MMA or OMS), it’s a great opportunity to discuss its successor – the Azure Monitor Agent or in short - (AMA), and why it is so much better and keeps improving!
AMA is a lightweight log collection agent, designed to consume as little resources as possible when collecting metrics and logs from your server. It can be installed on various flavors and OS versions of both Linux as well as Windows machines hosted in Azure, on-premises or any other cloud environments. When installed on non-Azure machines, AMA requires the installation of Azure Arc agentry to provide mirroring and centralized cloud management capabilities to your machine.
Associated with a Microsoft Sentinel workspace, all logs collected form AMA-installed machines, are sent to the various Microsoft Sentinel tables, depending on the source type from which they were collected (Windows DNS, Windows security events, Firewall, IIS, Syslog, CEF, etc.).
AMA can be controlled using Data Collection Rules (DCR), enabling you to define where to collect the logs from, what data manipulations to perform with KQL transformations (enabling you filtering, parsing, enrichment and more) and where to send the logs to, whether that be a workspace, Eventhubs (for Azure VMS only), Auxiliary tier and so on. You can group machines by using different DCRs.
DCRs for AMA can be created in multiple ways:
So why do we like AMA better?
Ah! Easy:
The greatest thing is that AMA keeps evolving through multiple enhancements and improvements we’re constantly working on!
Next, we’ll cover a few noticeable changes to connectors.
Windows Security Events:
We’ve enhanced the schema of the SecurityEvent table, hosting Windows Security Event, and have added new columns that AMA version 1.28.2 and up will be populating. These enhancements are designated to provide better coverage and visibility of the events collected.
New columns added are:
Common Event Format (CEF) and Syslog:
We all know how important it is to collect and analyze data from various sources, such as firewalls, routers, switches, servers, DNS and applications. Two of the most common protocols used by many devices to emit their logs are CEF and Syslog.
With the legacy agent you had to configure a connector for each source separately, which could be tedious and time-consuming. That's why we are excited to announce the updates to the Syslog and CEF data connectors via AMA, which will improve your overall experience with Microsoft Sentinel data connectors. All devices will now depend on either the generic CEF or the generic Syslog connectors, based on the log source used protocol. The relevant generic connector will be deployed as part of the device solution (don't forget to check the box to select it for installation after you click the 'install with dependencies' button!).
To monitor the ingestion of your logs from the separated device types with the graphs, we’ve added a dedicated workbook, installed with the solution, where device types are aggregated in a single location. You can further filter the view based on device type or connectivity status.
To help you set the source device to streamline the logs, we’ve included the instructions or relevant referrals for many common CEF appliances or Syslog in our documentation.
Windows Events:
What happens if you wish to collect other Windows audit events? You cannot send them to the SecurityEvents table as those events are not from the security channel and do not match that table schema. Instead, the non-security events can be directed to the WindowsEvents table using the Windows Forwarded Events data connector, which can be used to stream both forwarded events collected from a WEC/WEF server, as well as those Windows server, by setting the DCR wizard to Custom option and specifying the XPath expression to point to the desired events.
Windows Firewall Logs:
This connector enables the collection of the machine’s Firewall logs. We’ve added a granularity selection of the profile from which to collect and stream logs to the ASimNetworkSessionLogs table.
Custom Logs:
Some appliances packaged in Content Hub solutions are streaming data to _CL tables. For those 15 specific devices and to enable a quick setting up of file collection, we’ve added the Custom logs connector.
We hope this post was informative and that you have already upgraded your agents to AMA, or plan to do so shortly. For more information on other connectors agent-based or others, refer to our Data connectors documentation or browse the content hub to locate your source of interest. If you would like more content about using AMA, please let us know in the comments below!
Lastly, to stay current with the latest updates and announcements stay tuned to our What’s new page.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.