Overview of Azure Monitor agents
Virtual machines and other compute resources require an agent to collect monitoring data required to measure the performance and availability of their guest operating system and workloads. There are many legacy agents that exist today for this purpose, that will all be eventually replaced by the new consolidated Azure Monitor agent. This article describes both the legacy agents as well as the new Azure Monitor agent.
The general recommendation is to use the Azure Monitor agent if you are not bound by these limitations, as it consolidates the features of all the legacy agents listed below and provides these additional benefits.
If you do require the limitations today, you may continue using the other legacy agents listed below until August 2024. Learn more
Summary of agents
The following tables provide a quick comparison of the telemetry agents for Windows and Linux. Further detail on each is provided in the section below.
Windows agents
| Azure Monitor agent | Diagnostics extension (WAD) |
Log Analytics agent |
Dependency agent |
|
|---|---|---|---|---|
| Environments supported | Azure Other cloud (Azure Arc) On-premises (Azure Arc) Windows Client OS (preview) |
Azure | Azure Other cloud On-premises |
Azure Other cloud On-premises |
| Agent requirements | None | None | None | Requires Log Analytics agent |
| Data collected | Event Logs Performance File based logs (preview) |
Event Logs ETW events Performance File based logs IIS logs .NET app logs Crash dumps Agent diagnostics logs |
Event Logs Performance File based logs IIS logs Insights and solutions Other services |
Process dependencies Network connection metrics |
| Data sent to | Azure Monitor Logs Azure Monitor Metrics1 |
Azure Storage Azure Monitor Metrics Event Hub |
Azure Monitor Logs | Azure Monitor Logs (through Log Analytics agent) |
| Services and features supported |
Log Analytics Metrics explorer Microsoft Sentinel (view scope) |
Metrics explorer | VM insights Log Analytics Azure Automation Microsoft Defender for Cloud Microsoft Sentinel |
VM insights Service Map |
Linux agents
| Azure Monitor agent | Diagnostics extension (LAD) |
Telegraf agent |
Log Analytics agent |
Dependency agent |
|
|---|---|---|---|---|---|
| Environments supported | Azure Other cloud (Azure Arc) On-premises (Azure Arc) |
Azure | Azure Other cloud On-premises |
Azure Other cloud On-premises |
Azure Other cloud On-premises |
| Agent requirements | None | None | None | None | Requires Log Analytics agent |
| Data collected | Syslog Performance File based logs (preview) |
Syslog Performance |
Performance | Syslog Performance |
Process dependencies Network connection metrics |
| Data sent to | Azure Monitor Logs Azure Monitor Metrics1 |
Azure Storage Event Hub |
Azure Monitor Metrics | Azure Monitor Logs | Azure Monitor Logs (through Log Analytics agent) |
| Services and features supported |
Log Analytics Metrics explorer Microsoft Sentinel (view scope) |
Metrics explorer | VM insights Log Analytics Azure Automation Microsoft Defender for Cloud Microsoft Sentinel |
VM insights Service Map |
1 Click here to review other limitations of using Azure Monitor Metrics. On Linux, using Azure Monitor Metrics as the only destination is supported in v.1.10.9.0 or higher.
Azure Monitor agent
The Azure Monitor agent is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows and Linux machines. It can send data to both Azure Monitor Logs and Azure Monitor Metrics and uses Data Collection Rules (DCR) which provide a more scalable method of configuring data collection and destinations for each agent.
Use the Azure Monitor agent to gain these benefits:
- Collect guest logs and metrics from any machine in Azure, in other clouds, or on-premises. (Azure Arc-enabled servers required for machines outside of Azure.)
- Cost savings:
- Granular targeting via Data Collection Rules to collect specific data types from specific machines, as compared to the "all or nothing" mode that Log Analytics agent supports
- Use XPath queries to filter Windows events that get collected. This helps further reduce ingestion and storage costs.
- Centrally configure collection for different sets of data from different sets of VMs.
- Simplified management of data collection: Send data from Windows and Linux VMs to multiple Log Analytics workspaces (i.e. "multi-homing") and/or other supported destinations. Additionally, every action across the data collection lifecycle, from onboarding to deployment to updates, is significantly easier, scalable, and centralized (in Azure) using data collection rules
- Management of dependent solutions or services: The Azure Monitor agent uses a new method of handling extensibility that's more transparent and controllable than management packs and Linux plug-ins in the legacy Log Analytics agents. Moreover this management experience is identical for machines in Azure or on-premises/other clouds via Azure Arc, at no added cost.
- Security and performance - For authentication and security, it uses Managed Identity (for virtual machines) and AAD device tokens (for clients) which are both much more secure and ‘hack proof’ than certificates or workspace keys that legacy agents use. This agent performs better at higher EPS (events per second upload rate) compared to legacy agents.
- Manage data collection configuration centrally, using data collection rules and use Azure Resource Manager (ARM) templates or policies for management overall.
- Send data to Azure Monitor Logs and Azure Monitor Metrics (preview) for analysis with Azure Monitor.
- Use Windows event filtering or multi-homing for logs on Windows and Linux.
When compared with the legacy agents, the Azure Monitor Agent has these limitations currently.
Log Analytics agent
Warning
The Log Analytics agents are on a deprecation path and will no longer be supported after August 31, 2024.
The legacy Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on-premises machines. It sends data to a Log Analytics workspace. The Log Analytics agent is the same agent used by System Center Operations Manager, and you can multihome agent computers to communicate with your management group and Azure Monitor simultaneously. This agent is also required by certain insights in Azure Monitor and other services in Azure.
Note
The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA). The Log Analytics agent for Linux is often referred to as OMS agent.
Use the Log Analytics agent if you need to:
- Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure.
- Send data to a Log Analytics workspace to take advantage of features supported by Azure Monitor Logs such as log queries.
- Use VM insights which allows you to monitor your machines at scale and monitors their processes and dependencies on other resources and external processes..
- Manage the security of your machines using Microsoft Defender for Cloud or Microsoft Sentinel.
- Use Azure Automation Update Management, Azure Automation State Configuration, or Azure Automation Change Tracking and Inventory to deliver comprehensive management of your Azure and non-Azure machines.
- Use different solutions to monitor a particular service or application.
Limitations of the Log Analytics agent include:
- Cannot send data to Azure Monitor Metrics, Azure Storage, or Azure Event Hubs.
- Difficult to configure unique monitoring definitions for individual agents.
- Difficult to manage at scale since each virtual machine has a unique configuration.
Azure diagnostics extension
The Azure Diagnostics extension collects monitoring data from the guest operating system and workloads of Azure virtual machines and other compute resources. It primarily collects data into Azure Storage but also allows you to define data sinks to also send data to other destinations such as Azure Monitor Metrics and Azure Event Hubs.
Use Azure diagnostic extension if you need to:
- Send data to Azure Storage for archiving or to analyze it with tools such as Azure Storage Explorer.
- Send data to Azure Monitor Metrics to analyze it with metrics explorer and to take advantage of features such as near real-time metric alerts and autoscale (Windows only).
- Send data to third-party tools using Azure Event Hubs.
- Collect Boot Diagnostics to investigate VM boot issues.
Limitations of Azure diagnostics extension include:
- Can only be used with Azure resources.
- Limited ability to send data to Azure Monitor Logs.
Telegraf agent
The InfluxData Telegraf agent is used to collect performance data from Linux computers to Azure Monitor Metrics.
Use Telegraf agent if you need to:
- Send data to Azure Monitor Metrics to analyze it with metrics explorer and to take advantage of features such as near real-time metric alerts and autoscale (Linux only).
Dependency agent
The Dependency agent collects discovered data about processes running on the machine and external process dependencies.
Use the Dependency agent if you need to:
- Use the Map feature VM insights or the Service Map solution.
Consider the following when using the Dependency agent:
- The Dependency agent requires the Log Analytics agent to be installed on the same machine.
- On Linux computers, the Log Analytics agent must be installed before the Azure Diagnostic Extension.
- On both the Windows and Linux versions of the Dependency Agent, data collection is done using a user-space service and a kernel driver.
Virtual machine extensions
The Azure Monitor agent is only available as a virtual machine extension. The Log Analytics extension for Windows and Linux install the Log Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for Windows and Linux install the Dependency agent on Azure virtual machines. These are the same agents described above but allow you to manage them through virtual machine extensions. You should use extensions to install and manage the agents whenever possible.
On hybrid machines, use Azure Arc-enabled servers to deploy the Azure Monitor agent, Log Analytics and Azure Monitor Dependency VM extensions.
Supported operating systems
The following tables list the operating systems that are supported by the Azure Monitor agents. See the documentation for each agent for unique considerations and for the installation process. See Telegraf documentation for its supported operating systems. All operating systems are assumed to be x64. x86 is not supported for any operating system.
Windows
| Operating system | Azure Monitor agent | Log Analytics agent | Dependency agent | Diagnostics extension |
|---|---|---|---|---|
| Windows Server 2022 | X | |||
| Windows Server 2022 Core | X | |||
| Windows Server 2019 | X | X | X | X |
| Windows Server 2019 Core | X | |||
| Windows Server 2016 | X | X | X | X |
| Windows Server 2016 Core | X | X | ||
| Windows Server 2012 R2 | X | X | X | X |
| Windows Server 2012 | X | X | X | X |
| Windows Server 2008 R2 SP1 | X | X | X | X |
| Windows Server 2008 R2 | X | |||
| Windows Server 2008 SP2 | X | |||
| Windows 11 client OS | X2 | |||
| Windows 10 1803 (RS4) and higher | X2 | |||
| Windows 10 Enterprise (including multi-session) and Pro (Server scenarios only1) |
X | X | X | X |
| Windows 8 Enterprise and Pro (Server scenarios only1) |
X | X | ||
| Windows 7 SP1 (Server scenarios only1) |
X | X | ||
| Azure Stack HCI | X |
1 Running the OS on server hardware, i.e. machines that are always connected, always turned on, and not running other workloads (PC, office, browser, etc.) 2 Using the Azure Monitor agent client installer (preview)
Linux
Note
For Dependency Agent, please additionally check for supported kernel versions. See "Dependency agent Linux kernel support" table below for details
| Operating system | Azure Monitor agent 1 | Log Analytics agent 1 | Dependency agent | Diagnostics extension 2 |
|---|---|---|---|---|
| AlmaLinux | X | X | ||
| Amazon Linux 2017.09 | X | |||
| Amazon Linux 2 | X | |||
| CentOS Linux 8 | X 3 | X | X | |
| CentOS Linux 7 | X | X | X | X |
| CentOS Linux 6 | X | |||
| CentOS Linux 6.5+ | X | X | X | |
| Debian 10 1 | X | |||
| Debian 9 | X | X | x | X |
| Debian 8 | X | X | ||
| Debian 7 | X | |||
| OpenSUSE 13.1+ | X | |||
| Oracle Linux 8 | X 3 | X | ||
| Oracle Linux 7 | X | X | X | |
| Oracle Linux 6 | X | |||
| Oracle Linux 6.4+ | X | X | ||
| Red Hat Enterprise Linux Server 8.1, 8.2, 8.3, 8.4 | X 3 | X | X | |
| Red Hat Enterprise Linux Server 8 | X 3 | X | X | |
| Red Hat Enterprise Linux Server 7 | X | X | X | X |
| Red Hat Enterprise Linux Server 6 | X | X | ||
| Red Hat Enterprise Linux Server 6.7+ | X | X | X | |
| Rocky Linux | X | X | ||
| SUSE Linux Enterprise Server 15.2 | X 3 | |||
| SUSE Linux Enterprise Server 15.1 | X 3 | X | ||
| SUSE Linux Enterprise Server 15 SP1 | X | X | X | |
| SUSE Linux Enterprise Server 15 | X | X | X | |
| SUSE Linux Enterprise Server 12 SP5 | X | X | X | X |
| SUSE Linux Enterprise Server 12 | X | X | X | X |
| Ubuntu 22.04 LTS | X | |||
| Ubuntu 20.04 LTS | X | X | X | X 4 |
| Ubuntu 18.04 LTS | X | X | X | X |
| Ubuntu 16.04 LTS | X | X | X | X |
| Ubuntu 14.04 LTS | X | X |
1 Requires Python (2 or 3) to be installed on the machine.
3 Known issue collecting Syslog events in versions prior to 1.9.0.
4 Not all kernel versions are supported, check supported kernel versions below.
Dependency agent Linux kernel support
Since the Dependency agent works at the kernel level, support is also dependent on the kernel version. As of Dependency agent version 9.10.* the agent supports * kernels. The following table lists the major and minor Linux OS release and supported kernel versions for the Dependency agent.
| Distribution | OS version | Kernel version |
|---|---|---|
| Red Hat Linux 8 | 8.5 | 4.18.0-348.*el8_5.x86_644.18.0-348.*el8.x86_64 |
| 8.4 | 4.18.0-305.*el8.x86_64, 4.18.0-305.*el8_4.x86_64 | |
| 8.3 | 4.18.0-240.*el8_3.x86_64 | |
| 8.2 | 4.18.0-193.*el8_2.x86_64 | |
| 8.1 | 4.18.0-147.*el8_1.x86_64 | |
| 8.0 | 4.18.0-80.*el8.x86_64 4.18.0-80.*el8_0.x86_64 |
|
| Red Hat Linux 7 | 7.9 | 3.10.0-1160 |
| 7.8 | 3.10.0-1136 | |
| 7.7 | 3.10.0-1062 | |
| 7.6 | 3.10.0-957 | |
| 7.5 | 3.10.0-862 | |
| 7.4 | 3.10.0-693 | |
| Red Hat Linux 6 | 6.10 | 2.6.32-754 |
| 6.9 | 2.6.32-696 | |
| CentOS Linux 8 | 8.5 | 4.18.0-348.*el8_5.x86_644.18.0-348.*el8.x86_64 |
| 8.4 | 4.18.0-305.*el8.x86_64, 4.18.0-305.*el8_4.x86_64 | |
| 8.3 | 4.18.0-240.*el8_3.x86_64 | |
| 8.2 | 4.18.0-193.*el8_2.x86_64 | |
| 8.1 | 4.18.0-147.*el8_1.x86_64 | |
| 8.0 | 4.18.0-80.*el8.x86_64 4.18.0-80.*el8_0.x86_64 |
|
| CentOS Linux 7 | 7.9 | 3.10.0-1160 |
| 7.8 | 3.10.0-1136 | |
| 7.7 | 3.10.0-1062 | |
| CentOS Linux 6 | 6.10 | 2.6.32-754.3.5 2.6.32-696.30.1 |
| 6.9 | 2.6.32-696.30.1 2.6.32-696.18.7 |
|
| Ubuntu Server | 20.04 | 5.8 5.4* |
| 18.04 | 5.3.0-1020 5.0 (includes Azure-tuned kernel) 4.18* 4.15* |
|
| 16.04.3 | 4.15.* | |
| 16.04 | 4.13.* 4.11.* 4.10.* 4.8.* 4.4.* |
|
| SUSE Linux 12 Enterprise Server | 12 SP5 | 4.12.14-122.*-default, 4.12.14-16.*-azure |
| 12 SP4 | 4.12.* (includes Azure-tuned kernel) | |
| 12 SP3 | 4.4.* | |
| 12 SP2 | 4.4.* | |
| SUSE Linux 15 Enterprise Server | 15 SP1 | 4.12.14-197.*-default, 4.12.14-8.*-azure |
| 15 | 4.12.14-150.*-default | |
| Debian | 9 | 4.9 |
Next steps
Get more details on each of the agents at the following:
Feedback
Submit and view feedback for