Microsoft recently introduced a new model for purchasing Azure Log Analytics. To use this new model you will basically have to enable it on per subscription bases. In short you can either continue to use the old models or flip a switch on your subscription to use the new model. You cannot use both models for different workspaces in your subscription and you cannot move between the old models and the new ones without flipping that switch. Of course flipping that switch is easy as going into the Azure Portal -> Azure Monitor -> Usage and estimated costs blade but what about if you want to do this programmatically? Apparently there is a way to do it that way and in this blog post I will show you how.
I’ve recently stumbled on forum question asking for chart that list only the top 10 resources or computers. Such chart is of course used a lot in performance metrics where for example you want to get the top 10 computers with CPU usage and list them in time chart.
In Azure Monitor we can create two type of alerts for Log Analytics:
Near real-time metric alerts are scoped to specific performance counter and heartbeat events but with Custom Log Search Alerts you can alert on any log in Log Analytics. With Custom Log Search Alerts the alert logic have two types:
- Number of results
- Metric Measurement
In a typical scenario you will use Number of results for logs and events and metric measurement for performance/metric logs. That wouldn’t be a problem if the way the alerts are fired distinguish quite a lot between those. For example in metric measurement you aggregate/summarize results and you alert based on the value from the aggregation/summarization. On top of that different alert instance is fired on each summarized record. In number of results you do not summarize/aggregate and alerts are fired based on the count of the records. For example on 10 records you will get only one alert instead of 10. If you are like me this is a problem as you want to get separate alert instance for your events just like metric measurement alerts.
In this blog post I will show you how to overcome this problem with workaround from the powerful Log Analytics query language.
As you know both OMS Linux and Windows agent send heartbeat events and they are free of charge. The problem is that the interval of these heartbeat events is different for both operating systems. For Windows it is every 1 minute and for Linux is every 5 minutes. I do not know exactly the reason for this decision but I prefer that all my servers report at the same interval. The beautiful thing with the OMS Linux agent that is extendable and configurable. So this blog post will focus on how you can easily change the heartbeat interval on OMS Linux agent to 1 minute.
Azure Stack is extension of Azure and as such I am dealing with it as well. You may end up in a situation where you’ve created User Subscriptions in Azure Stack and after some time you want to delete them. Before deleting them you will need first to delete all the resources inside those subscriptions but the accounts of the owners of these subscriptions are no longer available or the do not want to cooperate. In such cases you can actually change the owners by using PowerShell. For example you can assign your Azure Stack Operator account as owner, login to the subscriptions with it via the User Portal and delete the resources before deleting the subscriptions.
Continue reading “Change Owner of Azure Stack User Subscription”
Monitoring Windows Services States is one of the most common requests that I’ve seen on forums, groups and blog posts. My fellow MVP and OMS expert Stefan Roth wrote a similar blog post titled OMS – Monitor Windows Services / Processes. I would suggest to check it out as well. The approach I will show is somehow already cover in official article that demonstrates custom fields in Log Analytics. The difference is that we now have the new rich Log Analytics search syntax so we do not need custom fields anymore. This approach also is different from Stefan’s as his one covers wider topic with monitoring processes by using performance counters. In this approach we will use windows events which Stefan mentions that is not reliable but he was referring to specific Event Id which I also agree it is not reliable. In the next steps I will use another Event Id that is reliable 100%. The advantage of using windows events for monitoring windows services states are:
- Only windows events are gathered which results in less data uploaded compared to performance data
You do not have to add performance counter for each process, you just need to add only one event log to monitor all services
The services are shown with their actual name that is used in services.msc or Get-Service cmdlet.
We have the actual state of the service when it happened
Some of the disadvantages of this method are:
- Until the service is started or stopped it will take at least 5 minutes until the data appears in Log Analytics
Since Ignite 2017 Security & Compliance offering is now part of Azure Service Center service. Because of that some of the controls of that offering are moved to ASC but still the integration is not complete at least to me. With this blog post I will focus on two of the ASC settings that you should set up when you start with ASC – Changing to another Log Analytics workspace and Security Events level (filtering). Continue reading “Tips and Tricks of Setting up Azure Security Center”