Monitor Virtual Machines with Azure Monitor: Collect Data PDF

Summary

This document provides guidance on collecting data from virtual machines using Azure Monitor. It details data collection rules, cost considerations, and best practices. It's helpful for monitoring and managing Azure virtual machine environments.

Full Transcript

Monitor virtual machines with Azure Monitor: Collect
data
learn.microsoft.com/en-us/azure/azure-monitor/vm/monitor-virtual-machine-data-collection

In this article
This article is part of the guide Monitor virtual machines and their workloads in Azure
Monitor. It describes how to configure collection of data after you deploy Azure Monitor
Agent to your Azure and hybrid virtual machines in Azure Monitor.

This article provides guidance on collecting the most common types of telemetry from
virtual machines. The exact configuration that you choose depends on the workloads that
you run on your machines. Included in each section are sample log search alerts that you
can use with that data.

For more information about analyzing telemetry collected from your virtual
machines, see Monitor virtual machines with Azure Monitor: Analyze monitoring
data.
For more information about using telemetry collected from your virtual machines to
create alerts in Azure Monitor, see Monitor virtual machines with Azure Monitor:
Alerts.

Note

This scenario describes how to implement complete monitoring of your Azure and hybrid
virtual machine environment. To get started monitoring your first Azure virtual machine,
see Monitor Azure virtual machines.

Data collection rules
Data collection from Azure Monitor Agent is defined by one or more data collection rules
(DCRs) that are stored in your Azure subscription and associated with your virtual
machines.

For virtual machines, DCRs define data such as events and performance counters to
collect and specify the Log Analytics workspaces where data should be sent. The DCR
can also use transformations to filter out unwanted data and to add calculated columns. A
single machine can be associated with multiple DCRs, and a single DCR can be
associated with multiple machines. DCRs are delivered to any machines they're
associated with where Azure Monitor Agent processes them.

View data collection rules

1/14
You can view the DCRs in your Azure subscription from Data Collection Rules on the
Monitor menu in the Azure portal. DCRs support other data collection scenarios in Azure
Monitor, so all of your DCRs aren't necessarily for virtual machines.

Create data collection rules

There are multiple methods to create DCRs depending on the data collection scenario. In
some cases, the Azure portal walks you through the configuration. Other scenarios
require you to edit a DCR directly. When you configure VM insights, it creates a
preconfigured DCR for you automatically. The following sections identify common data to
collect and how to configure data collection.

In some cases, you might need to edit an existing DCR to add functionality. For example,
you might use the Azure portal to create a DCR that collects Windows or Syslog events.
You then want to add a transformation to that DCR to filter out columns in the events that
you don't want to collect.

As your environment matures and grows in complexity, you should implement a strategy
for organizing your DCRs to help their management. For guidance on different strategies,
see Best practices for data collection rule creation and management in Azure Monitor.

Control costs
Because your Azure Monitor cost is dependent on how much data you collect, ensure
that you're not collecting more than you need to meet your monitoring requirements. Your
configuration is a balance between your budget and how much insight you want into the
operation of your virtual machines.

Tip

For strategies to reduce your Azure Monitor costs, see Cost optimization and Azure
Monitor.

2/14
A typical virtual machine generates between 1 GB and 3 GB of data per month. This data
size depends on the configuration of the machine, the workloads running on it, and the
configuration of your DCRs. Before you configure data collection across your entire virtual
machine environment, begin collection on some representative machines to better predict
your expected costs when deployed across your environment. Use Log Analytics
workspace insights or log queries in Data volume by computer to determine the amount
of billable data collected for each machine and adjust accordingly.

Evaluate collected data and filter out any that meets the following criteria to reduce your
costs. Each data source that you collect may have a different method for filtering out
unwanted data. See the sections below for the details each of the common data sources.

Not used for alerting.
No known forensic or diagnostic value.
Not required by regulators.
Not used in any dashboards or workbooks.

You can also use transformations to implement more granular filtering and also to filter
data from columns that provide little value. For example, you might have a Windows
event that's valuable for alerting, but it includes columns with redundant or excessive
data. You can create a transformation that allows the event to be collected but removes
this excessive data.

Filter data as much as possible before it's sent to Azure Monitor to avoid a potential
charge for filtering too much data using transformations. Use transformations for record
filtering using complex logic and for filtering columns with data that you don't require.

Default data collection
Azure Monitor automatically performs the following data collection without requiring any
other configuration.

Platform metrics

Platform metrics for Azure virtual machines include important host metrics such as CPU,
network, and disk utilization. They can be:

Viewed on the Overview page.
Analyzed with metrics explorer for the machine in the Azure portal.
Used for metric alerts.

Activity log
The activity log is collected automatically. It includes the recent activity of the machine,
such as any configuration changes and when it was stopped and started. You can view
the platform metrics and activity log collected for each virtual machine host in the Azure
portal.

3/14
You can view the activity log for an individual machine or for all resources in a
subscription. Create a diagnostic setting to send this data into the same Log Analytics
workspace used by Azure Monitor Agent to analyze it with the other monitoring data
collected for the virtual machine. There's no cost for ingestion or retention of activity log
data.

VM availability information in Azure Resource Graph

With Azure Resource Graph, you can use the same Kusto Query Language used in log
queries to query your Azure resources at scale with complex filtering, grouping, and
sorting by resource properties. You can use VM health annotations to Resource Graph for
detailed failure attribution and downtime analysis.

For information on what data is collected and how to view it, see Monitor virtual machines
with Azure Monitor: Analyze monitoring data.

VM insights
When you enable VM insights, it creates a DCR with the MSVMI- prefix that collects the
following information. You can use this same DCR with other machines as opposed to
creating a new one for each VM.

Common performance counters for the client operating system are sent to the
InsightsMetrics table in the Log Analytics workspace. Counter names are
normalized to use the same common name regardless of the operating system
type.

If you specified processes and dependencies to be collected, the following tables
are populated:

VMBoundPort: Traffic for open server ports on the machine
VMComputer: Inventory data for the machine
VMConnection: Traffic for inbound and outbound connections to and from the
machine
VMProcess: Processes running on the machine

By default, VM insights won't enable collection of processes and dependencies to save
data ingestion costs. This data is required for the Map feature and also deploys the
dependency agent to the machine. Enable this collection if you want to use this feature.

Collect Windows and Syslog events
The operating system and applications in virtual machines often write to the Windows
event log or Syslog. You might create an alert as soon as a single event is found or wait
for a series of matching events within a particular time window. You might also collect
events for later analysis, such as identifying particular trends over time, or for performing
troubleshooting after a problem occurs.

4/14
For guidance on how to create a DCR to collect Windows and Syslog events, see Collect
data with Azure Monitor Agent. You can quickly create a DCR by using the most common
Windows event logs and Syslog facilities filtering by event level.

For more granular filtering by criteria such as event ID, you can create a custom filter by
using XPath queries. You can further filter the collected data by editing the DCR to add a
transformation.

Use the following guidance as a recommended starting point for event collection. Modify
the DCR settings to filter unneeded events and add other events depending on your
requirements.

Source Strategy

Windows Collect at least Critical, Error, and Warning events for the System and
events Application logs to support alerting. Add Information events to analyze
trends and support troubleshooting. Verbose events are rarely useful and
typically shouldn't be collected.

Syslog Collect at least LOG_WARNING events for each facility to support alerting.
events Add Information events to analyze trends and support troubleshooting.
LOG_DEBUG events are rarely useful and typically shouldn't be collected.

Sample log queries: Windows events

Query Description

Event All Windows events

Event | where EventLevelName == "Error" All Windows events with
severity of error

Event | summarize count() by Source Count of Windows events
by source

Event | where EventLevelName == "Error" | Count of Windows error
summarize count() by Source events by source

Sample log queries: Syslog events

Query Description

Syslog All Syslogs

Syslog | where SeverityLevel == "error" All Syslog records with severity
of error

Syslog | summarize AggregatedValue = count() Count of Syslog records by
by Computer computer

5/14
 Query Description

Syslog | summarize AggregatedValue = count() Count of Syslog records by
by Facility facility

Collect performance counters
Performance data from the client can be sent to either Azure Monitor Metrics or Azure
Monitor Logs, and you typically send them to both destinations. If you enabled VM
insights, a common set of performance counters is collected in Logs to support its
performance charts. You can't modify this set of counters, but you can create other DCRs
to collect more counters and send them to different destinations.

There are multiple reasons why you would want to create a DCR to collect guest
performance:

You aren't using VM insights, so client performance data isn't already being
collected.
Collect other performance counters that VM insights isn't collecting.
Collect performance counters from other workloads running on your client.
Send performance data to Azure Monitor Metrics where you can use them with
metrics explorer and metrics alerts.

For guidance on creating a DCR to collect performance counters, see Collect events and
performance counters from virtual machines with Azure Monitor Agent. You can quickly
create a DCR by using the most common counters. For more granular filtering by criteria
such as event ID, you can create a custom filter by using XPath queries.

Note

You might choose to combine performance and event collection in the same DCR.

Destination Description

Metrics Host metrics are automatically sent to Azure Monitor Metrics. You can
use a DCR to collect client metrics so that they can be analyzed together
with metrics explorer or used with metrics alerts. This data is stored for
93 days.

Logs
Performance data stored in Azure Monitor Logs can be stored for
extended periods. The data can be analyzed along with your event data
by using log queries with Log Analytics or log search alerts. You can
also correlate data by using complex logic across multiple machines,
regions, and subscriptions.

Performance data is sent to the following tables:
- VM insights: InsightsMetrics
- Other performance data: Perf

6/14
Sample log queries

The following samples use the Perf table with custom performance data.

Query Description

Perf All
Performance
data

Perf | where Computer == "MyComputer" All
Performance
data from a
particular
computer

Perf | where CounterName == "Current Disk Queue Length" All
Performance
data for a
particular
counter

Perf | where ObjectName == "Processor" and CounterName == Average CPU
"% Processor Time" and InstanceName == "_Total" | summarize Utilization
AVGCPU = avg(CounterValue) by Computer across all
computers

Perf | where CounterName == "% Processor Time" | summarize Maximum
AggregatedValue = max(CounterValue) by Computer CPU
Utilization
across all
computers

Perf | where ObjectName == "LogicalDisk" and CounterName == Average
"Current Disk Queue Length" and Computer == Current Disk
"MyComputerName" | summarize AggregatedValue = Queue length
avg(CounterValue) by InstanceName
across all the
instances of a
given
computer

Perf | where CounterName == "Disk Transfers/sec" | 95th
summarize AggregatedValue = percentile(CounterValue, 95) by Percentile of
Computer Disk
Transfers/Sec
across all
computers

Perf | where CounterName == "% Processor Time" and Hourly
InstanceName == "_Total" | summarize AggregatedValue = average of
avg(CounterValue) by bin(TimeGenerated, 1h), Computer CPU usage
across all
computers

7/14
 Query Description

Perf | where Computer == "MyComputer" and CounterName Hourly 70
startswith_cs "%" and InstanceName == "_Total" | summarize percentile of
AggregatedValue = percentile(CounterValue, 70) by every %
bin(TimeGenerated, 1h), CounterName
percent
counter for a
particular
computer

Perf | where CounterName == "% Processor Time" and Hourly
InstanceName == "_Total" and Computer == "MyComputer" | average,
summarize ["min(CounterValue)"] = min(CounterValue), minimum,
["avg(CounterValue)"] = avg(CounterValue),
["percentile75(CounterValue)"] = percentile(CounterValue,
maximum,
75), ["max(CounterValue)"] = max(CounterValue) by and 75-
bin(TimeGenerated, 1h), Computer percentile
CPU usage
for a specific
computer

Perf | where ObjectName == "MSSQL$INST2:Databases" and All
InstanceName == "master" Performance
data from the
Database
performance
object for the
master
database
from the
named SQL
Server
instance
INST2.

Perf | where TimeGenerated >ago(5m) | where ObjectName == Average of
"Process" and InstanceName != "_Total" and InstanceName != CPU over last
"Idle" | where CounterName == "% Processor Time" | 5 min for
summarize cpuVal=avg(CounterValue) by Computer,InstanceName
| join (Perf| where TimeGenerated >ago(5m)| where
each Process
ObjectName == "Process" and CounterName == "ID Process" | ID.
summarize arg_max(TimeGenerated,*) by ProcID=CounterValue )
on Computer,InstanceName | sort by TimeGenerated desc |
summarize AvgCPU = avg(cpuVal) by InstanceName,ProcID

Collect text logs
Some applications write events written to a text log stored on the virtual machine. Create
a custom table and DCR to collect this data. You define the location of the text log, its
detailed configuration, and the schema of the custom table. There's a cost for the
ingestion and retention of this data in the workspace.

Sample log queries

8/14
The column names used here are examples only. The column names for your log will
most likely be different.

Query Description

MyApp_CL | summarize count() by code Count the number
of events by code.

MyApp_CL | where status == "Error" | summarize Create an alert
AggregatedValue = count() by Computer, rule on any error
bin(TimeGenerated, 15m) event.

Collect IIS logs
IIS running on Windows machines writes logs to a text file. Configure IIS log collection by
using Collect IIS logs with Azure Monitor Agent. There's a cost for the ingestion and
retention of this data in the workspace.

Records from the IIS log are stored in the W3CIISLog table in the Log Analytics
workspace. There's a cost for the ingestion and retention of this data in the workspace.

Sample log queries

Query Description

W3CIISLog | where Count the IIS log entries by URL
csHost=="www.contoso.com" | summarize for the host www.contoso.com.
count() by csUriStem

W3CIISLog | summarize sum(csBytes) by Review the total bytes received by
Computer each IIS machine.

Monitor a service or daemon
To monitor the status of a Windows service or Linux daemon, enable the Change
Tracking and Inventory solution in Azure Automation.

Azure Monitor has no ability on its own to monitor the status of a service or daemon.
There are some possible methods to use, such as looking for events in the Windows
event log, but this method is unreliable. You can also look for the process associated with
the service running on the machine from the VMProcess table populated by VM insights.
This table only updates every hour, which isn't typically sufficient if you want to use this
data for alerting.

Note

The Change Tracking and Analysis solution is different from the Change Analysis feature
in VM insights. This feature is in public preview and not yet included in this scenario.

9/14
For different options to enable the Change Tracking solution on your virtual machines,
see Enable Change Tracking and Inventory. This solution includes methods to configure
virtual machines at scale. You have to create an Azure Automation account to support the
solution.

When you enable Change Tracking and Inventory, two new tables are created in your Log
Analytics workspace. Use these tables for logs queries and log search alert rules.

Table Description

ConfigurationChange Changes to in-guest configuration data

ConfigurationData Last reported state for in-guest configuration data

Sample log queries

List all services and daemons that have recently started.

Kusto

ConfigurationChange
| where ConfigChangeType == "Daemons" or ConfigChangeType ==
"WindowsServices"
| where SvcState == "Running"
| sort by Computer, SvcName

Alert when a specific service stops. Use this query in a log search alert rule.

Kusto

ConfigurationData
| where SvcName == "W3SVC"
| where SvcState == "Stopped"
| where ConfigDataType == "WindowsServices"
| where SvcStartupType == "Auto"
| summarize AggregatedValue = count() by Computer, SvcName, SvcDisplayName,
SvcState, bin(TimeGenerated, 15m)

10/14
 Alert when one of a set of services stops. Use this query in a log search alert
rule.

Kusto

let services =
dynamic(["omskd","cshost","schedule","wuauserv","heathservice","efs","wsusser
vice","SrmSvc","CertSvc","wmsvc","vpxd","winmgmt","netman","smsexec","w3svc",
"sms_site_vss_writer","ccmexe","spooler","eventsystem","netlogon","kdc","ntds
","lsmserv","gpsvc","dns","dfsr","dfs","dhcp","DNSCache","dmserver","messenge
r","w32time","plugplay","rpcss","lanmanserver","lmhosts","eventlog","lanmanwo
rkstation","wnirm","mpssvc","dhcpserver","VSS","ClusSvc","MSExchangeTransport
","MSExchangeIS"]);
ConfigurationData
| where ConfigDataType == "WindowsServices"
| where SvcStartupType == "Auto"
| where SvcName in (services)
| where SvcState == "Stopped"
| project TimeGenerated, Computer, SvcName, SvcDisplayName, SvcState
| summarize AggregatedValue = count() by Computer, SvcName, SvcDisplayName,
SvcState, bin(TimeGenerated, 15m)

Monitor a port
Port monitoring verifies that a machine is listening on a particular port. Two potential
strategies for port monitoring are described here.

Dependency agent tables
If you're using VM insights with Processes and dependencies collection enabled, you
can use VMConnection and VMBoundPort to analyze connections and ports on the
machine. The VMBoundPort table is updated every minute with each process running on
the computer and the port it's listening on. You can create a log search alert similar to the
missing heartbeat alert to find processes that have stopped or to alert when the machine
isn't listening on a particular port.

Review the count of ports open on your VMs to assess which VMs have
configuration and security vulnerabilities.

Kusto

VMBoundPort
| where Ip != "127.0.0.1"
| summarize by Computer, Machine, Port, Protocol
| summarize OpenPorts=count() by Computer, Machine
| order by OpenPorts desc

11/14
List the bound ports on your VMs to assess which VMs have configuration
and security vulnerabilities.

Kusto

VMBoundPort
| distinct Computer, Port, ProcessName

Analyze network activity by port to determine how your application or service
is configured.

Kusto

VMBoundPort
| where Ip != "127.0.0.1"
| summarize BytesSent=sum(BytesSent), BytesReceived=sum(BytesReceived),
LinksEstablished=sum(LinksEstablished), LinksTerminated=sum(LinksTerminated),
arg_max(TimeGenerated, LinksLive) by Machine, Computer, ProcessName, Ip,
Port, IsWildcardBind
| project-away TimeGenerated
| order by Machine, Computer, Port, Ip, ProcessName

Review bytes sent and received trends for your VMs.

Kusto

VMConnection
| summarize sum(BytesSent), sum(BytesReceived) by bin(TimeGenerated,1hr),
Computer
| order by Computer desc
| render timechart

Use connection failures over time to determine if the failure rate is stable or
changing.

Kusto

VMConnection
| where Computer ==
| extend bythehour = datetime_part("hour", TimeGenerated)
| project bythehour, LinksFailed
| summarize failCount = count() by bythehour
| sort by bythehour asc
| render timechart

12/14
 Link status trends to analyze the behavior and connection status of a
machine.

Kusto

VMConnection
| where Computer ==
| summarize dcount(LinksEstablished), dcount(LinksLive),
dcount(LinksFailed), dcount(LinksTerminated) by bin(TimeGenerated, 1h)
| render timechart

Connection Manager

The Connection Monitor feature of Network Watcher is used to test connections to a port
on a virtual machine. A test verifies that the machine is listening on the port and that it's
accessible on the network.

Connection Manager requires the Network Watcher extension on the client machine
initiating the test. It doesn't need to be installed on the machine being tested. For more
information, see Tutorial: Monitor network communication using the Azure portal.

There's an extra cost for Connection Manager. For more information, see Network
Watcher pricing.

Run a process on a local machine
Monitoring of some workloads requires a local process. An example is a PowerShell
script that runs on the local machine to connect to an application and collect or process
data. You can use Hybrid Runbook Worker, which is part of Azure Automation, to run a
local PowerShell script. There's no direct charge for Hybrid Runbook Worker, but there's a
cost for each runbook that it uses.

The runbook can access any resources on the local machine to gather required data. It
can't send data directly to Azure Monitor or create an alert. To create an alert, have the
runbook write an entry to a custom log. Then configure that log to be collected by Azure
Monitor. Create a log search alert rule that fires on that log entry.

Next steps

Additional resources
Documentation

Monitor virtual machines with Azure Monitor - Azure Monitor

Learn how to use Azure Monitor to monitor the health and performance of virtual
machines and their workloads.

13/14
 Best practices for monitoring virtual machines in Azure Monitor - Azure Monitor

Best practices organized by the pillars of the Well-Architected Framework (WAF) for
monitoring virtual machines in Azure Monitor.

Monitor virtual machines with Azure Monitor: Deploy agent - Azure Monitor

Learn how to deploy the Azure Monitor agent to your virtual machines for monitoring
in Azure Monitor. Monitor virtual machines and their workloads with an Azure
Monitor guide.

Training

Module

Collect guest operating system monitoring data from Azure and hybrid virtual machines
using Azure Monitor Agent - Training

Discover how to set up and integrate a Log Analytics agent with a workspace in Defender
for Cloud using the Azure portal, enhancing security data analysis capabilities.

14/14