Setting up Azure Monitoring Agent for log and metric collection - brian-anderson01/Capstone GitHub Wiki

  • To start collecting logs, we first need to enable log analytics
  • Open the Azure portal and search for Log Analytics workspaces
    • In the top left, click Create
    • Choose your subscription and resource group
    • Name the log workspace and choose your region
    • Click Review + Create
  • Once the deployment finishes, continue to the next steps
  • Navigate to the Intune endpoint manager center
  • Click Reports on the left -> Diagnostic settings -> Add diagnostic setting
    • Name the setting and choose the logs you want to collect on the left
    • You can choose what logs to collect by checking the boxes, I checked all of the boxes.
    • Now select a Destination, check the box next to Send to Log Analytics workspace, choose your subscription and the Log Analytics workspace you created earlier.
    • Click Save in the top left
  • Return to the Azure portal and search for Log Analytics workspaces again. Select the workspace you set in the diagnostic settings
  • Go to Agents configuration and click Add windows event log
    • Choose the event logs you would like to monitor and click Apply once you are done
  • Next go to Agents management
    • Click the link to download Windows agent (64 bit)
    • Stay on this page, as you will need the keys and workspace ID
    • Run the installer on the machine that you would like to monitor
    • Agree to the conditions and then check the box next to Connect the agent to Azure Log Analytics. Then click next
    • Input the Workspace ID and key in the respective fields and click next. The ID and key can be found on the page where you got the installer.
    • Choose I don't want to use Microsoft update and click next.
    • Finally, click install
  • Once the install finishes, you can confirm it is installed properly by opening control panel
    • In control panel, search for Microsoft Monitoring Agent, if it shows up then continue, if you don't see anything in the search then the installation may have failed.
    • Click Microsoft Monitoring agent and a windows should pop-up
    • Choose the Azure Log Analytics tab at the top. The workspace status should look like the one below.
  • After about 5 to 10 minutes, the Agents management window in Azure should show 1 windows computer connected.
  • To view the logs, search for Monitor in the azure portal and click on it when it shows in the search
  • On the left, click Logs and open the Resource group your log analytics workspace is in. Check the box next to Log Analytics workspace and click Apply.
  • Now to view some event logs from your machine, simply input Event in the Query and then click Run at the top
  • This should result in a list of windows event logs similar to the screenshot below
  • If you were able to retrieve logs from the machine, then Azure log collection is working and you can now use azure to monitor logs on you system.

Collecting metrics from your system

  • By default, metric collection is already integrated into the monitoring agent so there is nothing else to install
  • Start by going to the Azure portal and going to your existing Log Analytics workspace
    • Next click Agents configuration and choose Windows performance counters at the top
    • Click Add performance counter to add a metric you would like to measure
    • Set the interval rate to set how often the metrics are updated and sent to Azure and then click apply in the bottom left
    • I've added a screenshot below of my selections, this will collect the disk activity, available RAM, and CPU usage
  • Your device should now be sending over metrics every interval of seconds, depending on what you set the sample rate to