Azure Monitor Data Collection for VMs

Questions and Answers

What is the primary purpose of Data Collection Rules (DCRs) in Azure Monitor?

To set user permissions for Azure resources

To monitor network traffic between Azure regions

To define which data to collect from virtual machines (correct)

To configure the Azure Monitor Agent

How are Data Collection Rules (DCRs) associated with virtual machines?

DCRs are automatically created for all VMs

DCRs are stored in Azure subscriptions and linked to VMs (correct)

DCRs can only be assigned to on-premises machines

By manually entering IP addresses for each VM

Which of the following can Data Collection Rules (DCRs) utilize for data management?

Encryption of collected data

Transformation to filter unwanted data (correct)

Static data collection

Only performance counters

Where can you view Data Collection Rules (DCRs) in Azure Monitor?

Under Data Collection Rules on the Monitor menu in the Azure portal

What types of telemetry can be collected from virtual machines using Azure Monitor?

Both events and performance counters

Which method can be used to create Data Collection Rules (DCRs)?

Through the Azure portal configuration walkthrough

Can a single DCR be associated with multiple virtual machines?

Yes, a single DCR can be linked to multiple machines

What type of environment does this monitoring scenario primarily address?

Azure and hybrid virtual machine environments

What is the purpose of enabling the collection of processes and dependencies in VM Insights?

To utilize the Map feature and deploy the dependency agent

Which table contains traffic data for open server ports on the machine?

VMBoundPort

Which event types should at least be collected from Windows event logs to support alerting?

Critical, Error, and Warning

When filtering Syslog events for alerting, which events are recommended to collect?

At least LOG_WARNING events for each facility

Which of the following filters is rarely useful to collect from Windows event logs?

Verbose events

What can be used for more tailored filtering when collecting Windows and Syslog events?

XPath queries

What is a typical use case for collecting events from Windows and Syslog?

To analyze trends and perform troubleshooting

What should be the minimum event level collected from Windows logs to analyze trends?

Information events in addition to critical and error

What is one of the main reasons to edit a Data Collection Rule (DCR)?

To add functionality by filtering out unwanted data

What should be considered to manage costs effectively in Azure Monitor?

Only collect data that meets monitoring requirements

What is the typical data generated by a virtual machine per month?

1 GB to 3 GB

What strategy should be implemented regarding DCRs as the environment grows in complexity?

Organize DCRs for easier management

What data should be filtered out to reduce costs in Azure Monitor?

Data not used in dashboards or workbooks

What should you utilize to better predict expected costs across your virtual machine environment?

Review insights from representative machines

What is the purpose of using transformations in DCRs?

To implement more granular filtering of data

Which of the following data attributes could be considered excessive in Windows event logs?

Redundant or excessive data columns

What condition must be met for a service to be included in the Kusto query regarding Windows services?

The service must be from the predefined list.

Which of the following Kusto queries would you use to find the count of open ports on your VMs?

VMBoundPort | summarize OpenPorts=count() by Computer, Machine

What is one of the potential strategies mentioned for monitoring ports on a machine?

Investigating VM Connection and VMBoundPort tables.

What type of information does the VMBoundPort table provide?

It tracks processes and the ports they're listening on.

What is the purpose of summarizing data by 'TimeGenerated' in the Kusto query for Windows services?

To find trends over specific time intervals.

In the context of VM insights, what does the term 'missing heartbeat alert' refer to?

An alert for machines that are not listening on a specific port.

How does counting distinct ports help assess security vulnerabilities in VMs?

It shows which VMs have unnecessary ports open that could be exploited.

What action should be taken if a service on a VM is found to be in a 'Stopped' state?

Investigate why it has stopped and restart it if necessary.

What is the purpose of the first query that summarizes CPU usage?

To calculate the average CPU usage for each process

What is required to collect logs from an application written to a text file on a virtual machine?

A custom table and DCR with the log’s location and schema

What does the query 'MyApp_CL | where status == "Error" | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)' do?

Counts error events by computer every 15 minutes

Which statement is correct regarding IIS log collection?

IIS logs are stored in a table called W3CIISLog

What does the 'arg_max' function do in the context of the performance query?

Returns the latest entry for a process based on its ID

Which of the following is a valid reason for collecting IIS logs with Azure Monitor Agent?

To monitor web traffic and gather insights into web requests

Which component of the query 'Perf | where TimeGenerated >ago(5m) | where ObjectName == "Process"' indicates the time frame for the data being analyzed?

TimeGenerated

What is the consequence of not configuring the ingestion of text logs properly?

Logs will not be collected or stored in the workspace

Study Notes

Azure Monitor Virtual Machines: Data Collection

• Data collection from Azure Monitor Agent is defined by one or more data collection rules (DCRs) that are stored in your Azure subscription and associated with virtual machines.
• A single machine can be associated with multiple DCRs, and a single DCR can be associated with multiple machines.
• Azure Monitor cost is dependent on the amount of data you collect.
• A typical virtual machine generates between 1 GB and 3 GB of data per month.
• Data size depends on machine configuration, workloads running on it, and DCR configuration.
• Before configuring data collection across all virtual machines, start with representative machines to predict costs.
• Use Log Analytics workspace insights or log queries in Data volume by computer to determine the amount of billable data collected for each machine.
• Consider filtering out data not used for alerting, forensic or diagnostic value, regulatory requirements, or dashboards/workbooks.
• Transformations can implement more granular filtering and filter data from columns with little value.
• VM insights won't enable collection of processes and dependencies by default, to save data ingestion costs.
• Processes and dependencies collection are required for the Map feature and deploy the dependency agent to the machine.
• Enable this collection if you want to use the Map feature.

Windows and Syslog Events

• Collect at least Critical, Error, and Warning events for the System and Application logs to support alerting.
• Add Information events to analyze trends and support troubleshooting.
• Verbose events are rarely useful and typically shouldn't be collected.
• Collect at least LOG_WARNING events for each Syslog facility to support alerting.
• Add Information events to analyze trends and support troubleshooting.
• LOG_DEBUG events are rarely useful and typically shouldn't be collected.

Text Logs

• Create a custom table and DCR to collect text logs from applications.
• Define the location of the text log, detailed configuration, and custom table schema.
• There is a cost for ingestion and retention of this data in the workspace.

IIS Logs

• Configure IIS log collection by using Collect IIS logs with Azure Monitor Agent.
• There's a cost for the ingestion and retention of this data in the workspace.
• Records from the IIS log are stored in the W3CIISLog table in the Log Analytics workspace.

Port Monitoring

• Verify that a machine is listening on a particular port using Dependency agent tables.
• Analyze connections and ports using VMConnection and VMBoundPort tables.
• The VMBoundPort table is updated every minute with each process running on the computer and the port it's listening on.
• Create a log search alert to find processes that have stopped or alert when the machine isn't listening on a particular port.

Analyze Network Activity

• Review the count of ports open on your VMs to assess which VMs have configuration and security vulnerabilities.
• List the bound ports on your VMs to assess which VMs have configuration and security vulnerabilities.
• Analyze network activity by port to determine how your application or service is configured.

Description

This quiz explores the principles and practices of data collection from Azure Monitor for virtual machines. Understand how data collection rules (DCRs) function, how they impact costs, and the importance of analyzing data volume for effective configuration. Learn strategies for optimizing data collection while managing expenses.