Migrate to Azure Monitor Agent from Log Analytics agent
Azure Monitor Agent (AMA) replaces the Log Analytics agent (also known as Microsoft Monitor Agent (MMA) and OMS) for Windows and Linux machines, in Azure and non-Azure environments, including on-premises and third-party clouds. The agent introduces a simplified, flexible method of configuring data collection using Data Collection Rules (DCRs). This article provides guidance on how to implement a successful migration from the Log Analytics agent to Azure Monitor Agent.
If you're currently using the Log Analytics agent with Azure Monitor or other supported features and services, start planning your migration to Azure Monitor Agent by using the information in this article. If you are using the Log Analytics Agent for SCOM, you need to migrate to the SCOM Agent.
The Log Analytics agent will be retired on August 31, 2024. You can expect the following when you use the MMA or OMS agent after this date.
- Data upload: Cloud ingestion services will gradually reduce support for MMA agents, which may result in decreased support and potential compatibility issues for MMA agents over time.
- Installation: The ability to install the legacy agents will be removed from the Azure Portal and installation policies for legacy agents will be removed.
- Customer Support: You will not be able to get support for legacy agent issues.
- OS Support: Support for new Linux or Windows distros (incl. service packs) will not be added after the deprecation of the legacy agents.
Benefits
In addition to consolidating and improving on the legacy Log Analytics agents, Azure Monitor Agent provides various immediate benefits, including cost savings, a simplified management experience, and enhanced security and performance.
Migration guidance
Before you begin migrating from the Log Analytics agent to Azure Monitor Agent, review the checklist.
Before you begin
- Check the prerequisites for installing Azure Monitor Agent.
To monitor non-Azure and on-premises servers, you must install the Azure Arc agent. The Arc agent makes your on-premises servers visible to Azure as a resource it can target. You won't incur any additional cost for installing the Azure Arc agent. - Understand your current needs.
Use the Workspace overview tab of the AMA Migration Helper to see connected agents and discover solutions enabled on your Log Analytics workspaces that use legacy agents, including per-solution migration recommendations. - Verify that Azure Monitor Agent can address all of your needs.
Azure Monitor Agent is General Availablity (GA) for data collection and is used for data collection by various Azure Monitor features and other Azure services. For details, see Supported services and features. - Consider installing Azure Monitor Agent together with a legacy agent for a transition period.
Run Azure Monitor Agent alongside the legacy Log Analytics agent on the same machine to continue using existing functionality during evaluation or migration. Keep in mind that running two agents on the same machine doubles resource consumption, including but not limited to CPU, memory, storage space, and network bandwidth.
- If you're setting up a new environment with resources, such as deployment scripts and onboarding templates, install Azure Monitor Agent together with a legacy agent in your new environment to decrease the migration effort later.
- If you have two agents on the same machine, avoid collecting duplicate data.
Collecting duplicate data from the same machine can skew query results, affect downstream features like alerts, dashboards, and workbooks, and generate extra charges for data ingestion and retention.
To avoid data duplication:- Configure the agents to send the data to different workspaces or different tables in the same workspace.
- Disable duplicate data collection from legacy agents by removing the workspace configurations.
- Defender for Cloud natively deduplicates data when you use both agents, and you'll be billed once per machine when you run the agents side by side.
- For Sentinel, you can easily disable the legacy connector to stop ingestion of logs from legacy agents.
Migration services and features
Use the DCR generator to convert your legacy agent configuration into data collection rules automatically.1
Review the generated rules before you create them and take advantage of advanced options, such as filtering, granular targeting (per machine), and other optimizations. There are special steps needed to migrate MMA custom logs to AMA custom logs
Test the new agent and data collection rules on a few nonproduction machines:
Deploy the generated data collection rules and associate them with a few machines, as described in Installing and using DCR Config Generator.
To avoid double ingestion, you can disable data collection from legacy agents during the testing phase without uninstalling the agents yet, by removing the workspace configurations for legacy agents.
Ensure there are no gaps, compare the data ingested by legacy agent data to Azure Monitor Agent. You can do the comparison on any table by using the join operator to add the
Category
column from the Heartbeat table, which indicatesAzure Monitor Agent
for data collected by the Azure Monitor Agent.For example, this query adds the
Category
column from theHeartbeat
table to data retrieved from theEvent
table:Heartbeat | distinct Computer, SourceComputerId, Category | join kind=inner ( Event | extend d=parse_xml(EventData) | extend sourceHealthServiceId = tostring(d.DataItem.["@sourceHealthServiceId"]) | project-reorder TimeGenerated, Computer, EventID, sourceHealthServiceId, ParameterXml, EventData ) on $left.SourceComputerId==$right.sourceHealthServiceId | project TimeGenerated, Computer, Category, EventID, sourceHealthServiceId, ParameterXml, EventData
Use built-in policies to deploy extensions and DCR associations at scale. Using policy also ensures automatic deployment of extensions and DCR associations for new machines.3
Use the AMA Migration Helper to monitor the at-scale migration across your machines.
Validate that Azure Monitor Agent is collecting data as expected and all downstream dependencies, such as dashboards, alerts, and workbooks, function properly:
- Look at the Overview and Usage tabs of Log Analytics Workspace Insights for spikes or dips in ingestion rates following the migration. Check both the overall workspace ingestion and the table-level ingestion rates.
- Check your workbooks, dashboards, and alerts for variances from typical behavior following the migration.
Clean up: After you confirm that Azure Monitor Agent is collecting data properly, disable or uninstall the legacy Log Analytics agents.
Once Azure Monitor Agent is installed for all your requirements, uninstall the Log Analytics agent from monitored resources. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent. Continue using the legacy Log Analytics for features and solutions that Azure Monitor Agent doesn't support.
Use the MMA removal tool to discovery and remove the Log Analytics agent extension from all machines within your tenant.
Don't uninstall the legacy agent if you need to use it to upload data to System Center Operations Manager.
1 The DCR generator only converts the configurations for Windows event logs, Linux syslog and performance counters. Support for more features and solutions will be available soon.
2 You might need to deploy extensions required for specific solutions in addition to the Azure Monitor Agent extension.
Migrate additional services and features
Azure Monitor Agent is GA for data collection. Most services that used Log Analytics agent for data collection have migrated to Azure Monitor Agent.
The following features and services now have an Azure Monitor Agent version (some are still in Public Preview). This means you can already choose to use Azure Monitor Agent to collect data when you enable the feature or service.
Service or feature | Migration recommendation | Current state | More information |
---|---|---|---|
VM insights, Service Map, and Dependency agent | Migrate to Azure Monitor Agent | GA | Enable VM Insights |
Microsoft Sentinel | Migrate to Azure Monitor Agent | Public Preview | AMA migration for Microsoft Sentinel. |
Change Tracking and Inventory | Migrate to Azure Monitor Agent | GA | Migration for Change Tracking and inventory |
Network Watcher | Migrate to new service called Connection Monitor with Azure Monitor Agent | GA | Monitor network connectivity using connection monitor |
Azure Stack HCI Insights | Migrate to Azure Monitor Agent | GA | Monitor Azure Stack HCI with Insights |
Azure Virtual Desktop (AVD) Insights | Migrate to Azure Monitor Agent | GA | Azure Virtual Desktop Insights |
Container Monitoring Solution | Migrate to new service called Container Insights with Azure Monitor Agent | GA | Enable Container Insights |
DNS Collector | Use new Sentinel Connector | GA | Enable DNS Connector |
When you migrate the following services, which currently use Log Analytics agent, to their respective replacements (v2), you no longer need either of the monitoring agents:
Service | Migration recommendation | Current state | More information |
---|---|---|---|
Microsoft Defender for Cloud, Servers, SQL, and Endpoint | Migrate to Microsoft Defender for Cloud (No dependency on Log Analytics agents or Azure Monitor Agent) | GA | Defender for Cloud plan for Log Analytics agent deprecation |
Update Management | Migrate to Azure Update Manager (No dependency on Log Analytics agents or Azure Monitor Agent) | GA | Update Manager documentation |
Automation Hybrid Runbook Worker overview | Automation Hybrid Worker Extension (no dependency on Log Analytics agents or Azure Monitor Agent) | GA | Migrate to Extension based Hybrid Workers |
Known parity gaps for solutions that may impact your migration
- IIS Logs: When IIS log collection is enabled, AMA might not populate the
sSiteName
column of theW3CIISLog
table. This field gets collected by default when IIS log collection is enabled for the legacy agent. If you need to collect thesSiteName
field using AMA, enable theService Name (s-sitename)
field in W3C logging of IIS. For steps to enable this field, see Select W3C Fields to Log. - Sentinel: Windows firewall logs are not yet GA
- SQL Assessment Solution: This is now part of SQL best practice assessment. The deployment policies require one Log Analytics Workspace per subscription, which is not the best practice recommended by the AMA team.
- Microsoft Defender for cloud: Some features for the new agentless solution are in development. Your migration maybe impacted if you use File Integraty Monitoring (FIM), Endpoint protection discovery recommendations, OS Misconfigurations (Azure Security Benchmark (ASB) recommendations) and Adaptive Application controls.
- Container Insights: The Windows version is in public preview.
Frequently asked questions
This section provides answers to common questions.
Can Azure Monitor Agent and the Log Analytics agent coexist side by side?
Yes. If you're migrating to Azure Monitor Agent, you might consider installing Azure Monitor Agent together with a legacy agent for a transition period, but you must be mindful of certain considerations. Read more about agent coexistence considerations in the Azure Monitor Agent migration guidance.
Next steps
For more information, see:
Atsauksmes
https://aka.ms/ContentUserFeedback.
Drīzumā: 2024. gada laikā mēs pakāpeniski pārtrauksim izmantot “GitHub problēmas” kā atsauksmju par saturu mehānismu un aizstāsim to ar jaunu atsauksmju sistēmu. Papildinformāciju skatiet:Iesniegt un skatīt atsauksmes par