Microsoft Operations Management Suite Cookbook

By Chiyo Odika
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Getting Started with Microsoft Operations Management Suite
About this book

Microsoft Operations Management Suite Cookbook begins with an overview of how to hit the ground running with OMS insights and analytics. Next, you will learn to search and analyze data to retrieve actionable insights, review alert generation from the analyzed data, and use basic and advanced Log search queries in Azure Log Analytics. Following this, you will explore some other management solutions that provide functionality related to workload assessment, application dependency mapping, automation and configuration management, and security and compliance. You will also become well versed with the data protection and recovery functionalities of OMS Protection and Recovery, and learn how to use Azure Automation components and features in OMS.

Finally you will learn how to evaluate key considerations for using the Security and Audit solution, and working with Security and Compliance in OMS.

By the end of the book, you will be able to configure and utilize solution offerings in OMS, understand OMS workflows, how to unlock insights, integrate capabilities into new or existing workflows, manage configurations, and automate tasks and processes.

Publication date:
April 2018


Getting Started with Microsoft Operations Management Suite

This introductory chapter will provide an overview of how to get started with the management capabilities in Operations Management Suite (OMS). It will cover the various methods for signing up to Log Analytics, creating and administering a workspace, provisioning and managing access to workspaces, on-boarding agents to OMS, and viewing the initial data. This chapter will also review architectural considerations for OMS, including proxy and firewall configurations, OMS gateway considerations, and placement. This chapter will include the following topics::

  • Understanding OMS architecture and data flow
  • Connecting sources without internet access to OMS
  • Getting started with OMS
  • Reviewing the collected data


Microsoft OMS is a cloud-based collection of management services that is designed with hybrid management in mind. OMS simplifies IT management within your environment by providing you with solutions for managing and protecting your on-premises and cloud environments. OMS is designed to provide you with a single pane-of-glass view into the operation of your IT environment, and is built to work across heterogeneous environments.

It provides you with the ability to manage your Windows and cross-platform devices across such clouds as Amazon Web Services (AWS) and Microsoft Azure, and because it is implemented as a cloud-based service, you can onboard to the service quickly, and with minimal investment in infrastructure services. Additionally, the cloud-based nature of the service means that new features and capabilities are automatically delivered, saving you upgrade and maintenance-related costs.

At the heart of OMS lies a set of Azure-based services that provide the core functionality of OMS. These services enable the key solutions that provide you with flexible access to the management capabilities that you need:

  • Automation provides you with consistent control and compliance capabilities across your environments, both on-premises and in the cloud, including third-party clouds
  • Log Analytics enables you to gain rich insight into your environment, from collected data and provides you with analytics capabilities across your workloads
  • Backup provides you with reliable backup and restore capabilities to protect critical data both on-premises and in the cloud
  • Site Recovery helps with availability and disaster recovery through seamless replication, failover, and failback capabilities for your workloads

These services are the foundation of the manifold benefits of OMS, which include the ability to do the following:

  • Enable a unified view of all of your IT assets, both on-premises and across the various clouds
  • Gain instant insights across a variety of Windows, Linux, and other workloads
  • Improve your security posture with the ability to identify and respond quickly to security threats
  • Deliver continuous IT services through consistent control and compliance
  • Ensure the availability of your data through automated cloud data protection and disaster recovery

OMS provides you with true hybrid management capabilities, so that while OMS services run in the cloud and effectively provide you with comprehensive management of your cloud workloads, you can also seamlessly and effectively manage on-premises workloads. If you already have investments in System Center, you can seamlessly integrate System Center components with OMS in a hybrid scenario.


Understanding OMS architecture and data flow

This section will explore important architectural concepts and considerations for the various OMS services, and provide you with an understanding of how OMS receives and processes data. A good grasp of how data flows to OMS for the various management functions will enable you to better follow the subsequent recipes.

Getting ready

OMS is a collection of cloud-based services that provide you with hybrid cloud management capabilities, and through four key solutions offerings, OMS provides you with flexible access to the management capabilities that you need. Each of the four solution offerings require specific cloud services to be enabled in Azure in order to access the underlying management capabilities that they provide.

How to do it...

To get started, you should determine which of the key solutions and underlying capabilities you need, and understand how the various OMS cloud services facilitate their respective capabilities. For instance, if you are primarily concerned with insight and analytics capabilities for log collection and searches, and for network health monitoring, you would make use of the Log Analytics service in Azure. If, however, you are interested in protection and recovery capabilities and would like to ensure the availability of your applications and data, you would make use of the Backup and Site Recovery services in Azure. When evaluating the key solutions, note the following capabilities included with each offering:

Insight and Analytics

Automation and Control

Protection and Recovery

Security and Compliance

Log collection and search

Azure Automation Desired state configuration (DSC)

Back up to Azure and restore from Azure

Security and audit capabilities with threat intelligence

Network health monitoring and application insights

Update management and automated remediation

Site recovery to Azure and the customer's secondary datacenters

Malware threat analysis

Application and server dependency mapping (Service Map)

Change tracking

Replicate and failover to Azure, and failback from Azure

Integration with Azure Security Center for in-depth Azure services security management

Table 1.1 Solutions

How it works...

To understand how OMS works, you need to know about the various services that enable the various management functions in OMS.

Log Analytics

As mentioned earlier, Log Analytics is an OMS service that enables you to monitor your environments' availability and performance. Log Analytics does this by collecting data from sources that you connect to the service. The following are some examples of such sources:

  • Windows and Linux agents
  • Azure VMs and resources
  • System Center

For Windows and Linux operating systems, Log Analytics collects data through agents that must be installed on the host computers. These agents then collect data from the server and relay the data directly to OMS endpoints. If, however, the computer(s) are part of a System Center Operations Manager (SCOM) management group, then no additional agent is required because through SCOM-to-OMS integration, and depending on the management solution enabled in OMS, the SCOM agents will collect data from the servers they are deployed to and send it either to OMS via the SCOM management group, or they will simply send the data directly to OMS.

In addition to collecting data from Windows and Linux computers and System Center, Log Analytics can also collect data from Azure resources such as Azure Diagnostics and Azure Monitor. Azure Diagnostics data can be written directly into Log Analytics, or sent to Azure storage, where Log Analytics is then able to read the storage logs. Log Analytics can also collect data from other Azure resources using connectors, which enable data to be sent from services such as Application Insights to Log Analytics. In addition, Log Analytics provides a REST API that enables data collection from other Azure services, third-party applications, and custom management solutions that can't send data through any of the aforementioned means.

Once sources are connected to Log Analytics, data sources are then collected from the various connected sources, based on data source configurations that are delivered to agents either directly, for directly connected computers, or through SCOM management packs, for agents that report to a SCOM management group that is integrated with OMS. Some examples of data sources include Windows Event logs, custom logs, Windows and Linux performance counters, and Syslog, among others.

Once the agent receives the data source configurations, it collects the specified data, and, depending on the collected data source - directly or via SCOM - it sends the data to Log Analytics. Once the collected data gets to OMS, it is then stored as records in the OMS repository. You will then be able to make use of the log search feature in Log Analytics to query and analyze the indexed data to glean insights about your cloud and on-premises environment and consume the data in various ways (visualize, alert, automate, integrate into workflows, and so on), which we will take a look at later in this book.

The following diagram depicts the flow of data from various connected sources to OMS and to the OMS repository for storage:

Figure 1.1 Log Analytics data collection


As mentioned earlier, the Azure Automation service lies at the heart of configuration management, process automation, and other automation-related capabilities in OMS. The Automation service uses Azure technologies and Windows PowerShell to provide you with process-automation capabilities using runbooks, and configuration-management capabilities using desired state configuration (DSC) for your Windows and Linux resources that may reside on-premises, in Azure, or other cloud service.

To automate processes such as long-running and repetitive tasks, you will make use of a set of tasks called runbooks. These enable you to perform automated processes in Azure Automation. You can perform automation tasks with runbooks just like you can with PowerShell, because runbooks in Azure Automation are based on Windows PowerShell or PowerShell workflows. Azure Automation runbooks execute in Azure and can be run against any cloud resources and any other resources that you can access. To execute runbooks against your on-premises resources, you can make use of the Hybrid Runbook Worker feature, which enables you to designate one or more computers on premises as resources, on which Azure Automation can execute runbooks to manage resources on premises.

Each worker will require the Microsoft Management Agent (MMA) and will connect to both the Automation account in Azure Automation and OMS Log Analytics. Azure Automation delivers the runbooks to the workers, and all other automation processes are executed in Azure Automation. You can then monitor the behavior of the management agent using Log Analytics. There are other considerations for making the Hybrid Runbook Worker feature highly available using groups, and we'll explore these later in this book.

Azure Automation also provides you with configuration management capabilities, using Azure Automation DSC. Azure Automation DSC is based on PowerShell DSC fundamentals, and is, in fact, a cloud-based solution for PowerShell DSC, and uses a declarative PowerShell syntax to enable you to manage, deploy, enforce, and monitor configuration for your computers. Because it is cloud based, you will manage your DSC resources in Azure Automation and apply your desired configurations to any computers on premises or in the cloud. Your computers then retrieve the configurations from a DSC pull server in Azure. You can then use the reporting capabilities in Azure Automation DSC to monitor the application according to your criteria, and identify and manage drift.

The following diagram depicts the Azure Automation data flow, process automation using runbooks in Azure and Hybrid Runbook Workers on premises, and configuration management using Azure Automation DSC:

Figure 1.2 Azure Automation workflow

Azure Backup

Azure Backup is one of the services that enables the protection and recovery management functionality in OMS. It is a service based in Azure that enables you to protect and restore your data from the Microsoft cloud, and includes support for the protection and recovery of files, folders, application workloads, and Azure virtual machines. Azure Backup provides various components to meet your protection and recovery needs, and depending on your protection goals, you can use one of the following components to protect your data in a Recovery Services vault in Azure:

  • Azure Backup (MARS) agent
  • System Center Data Protection Manager (DPM)
  • Azure Backup Server
  • Azure IaaS VM Backup

Note that while all Azure Backup components enable you to protect your data using a Recovery Services vault in Azure, the Azure Backup Server also enables the storage of backup data to a locally attached disk, and the System Center DPM component enables the protection of backed-up data to a locally attached disk and on-premises tape libraries. Azure Backup also provides some support for protecting Linux computers.

When storing backups in Azure, depending on the backup component you utilize, once the data is backed up at the protection point, it is compressed and stored in an Azure-based online storage entity called a Recovery Services vault, and, based on your storage needs, you can enable high availability through locally-redundant or geographically redundant storage replication. You can monitor backup metrics and connect to the OMS Monitoring solution for Azure backup..

The following figure depicts an Azure Backup data flow, a backed-up data relay to an Azure Recovery Services vault, storage replication of protected data, the monitoring of backup statistics, and the viewing of backup reports with Power BI, as well as the monitoring of backup parameters with the OMS monitoring solution:

Figure 1.3 Azure Backup workflow

Azure Site Recovery

Azure Site Recovery (ASR) enables the recovery management capabilities for OMS. ASR is a service in Microsoft Azure that facilitates your disaster recovery and business continuity strategy by enabling you to replicate, failover, and recover your workloads in the event of a failure. With ASR, you can replicate on-premises VMWare, Hyper-V VMs and Windows and Linux physical servers to either Azure storage or to a secondary datacenter. You can also use ASR to replicate Azure VMs to another Azure region.

ASR supports the replication of VMs in the following scenarios:

  • Replication and recovery to and from Azure of on-premises Hyper-V VMs on Hyper-V standalone hosts and clusters that are managed with or without System Center Virtual Machine Manager (VMM)
  • Replication and recovery to and from Azure of on-premises VMWare VMs
  • Replication and recovery to and from Azure of on-premises physical servers
  • Replication and recovery to and from secondary datacenters of on-premises Hyper-V VMs on Hyper-V standalone hosts and clusters that are managed in VMM clouds
  • Replication and recovery to and from secondary datacenters of on-premises VMWare VMs
  • Replication and recovery to and from secondary datacenters of on-premises Windows and Linux physical servers
  • Replication and recovery of Azure VMs from one Azure region to another

The ASR replication process varies according to the scenario you implement, and will be explored in greater detail in Chapter 4, Protecting and Recovering Data with OMS, of this book. In general, if replicating workloads to Azure from an on premises location, you will need to set up requirements for the Azure components, including an Azure account, a storage account, and an Azure network.

For VMWare VMs and Physical server replication to Azure, you will also need ASR component servers (configuration and process servers) and a master target server for failback. You will need to set up a Recovery Services vault in Azure, which is the storage entity that houses the data in Azure. In the vault, you can specify the replication target and source, set up the configuration server, add sources, define your replication policy, and perform other recovery tasks, such as test failovers and failbacks.

Similarly, for replicating Hyper-V VMs to Azure, if the hosts are configured in VMM clouds, you can register the VMM server(s) in the Recovery Services vault and install the Site Recovery Provider to orchestrate replication with Azure. If hosts are not located in VMM clouds, then you will install the Site Recovery Provider directly on the hosts.

Once the infrastructure is set up and the replication configured, protected on-premises machines will replicate an initial copy of the data, after which delta changes will be replicated. Traffic is then replicated over the secure internet connection or Azure ExpressRoute to Azure storage endpoints. For Azure VMWare VMs and Windows/Linux physical servers, this traffic can also be replicated over a site-to-site VPN connection.

For Azure VM replication, you will need to enable Azure VM replication in the Azure portal, after which resources are created automatically in the target region that you designate. Once replication is enabled, the Site Recovery Extension Mobility Service will be installed automatically on the Azure VM and will then be registered with Site Recovery, and then the VM will be configured for continuous replication. At this point, any data written to the Azure VM disks will continuously get transferred to the cache storage account in the source environment. Site Recovery will then process the data and send it to the target storage account in the target environment.

ASR also provides you with failover testing and the failover of protected resources to a target protection environment (Azure or a secondary site), as well as the ability to fail back to the source site. The following figure depicts the ASR data flow for the replicated data of protected resources from the source location to the target location in Azure or a secondary site:

Figure 1.4 Azure Site Recovery

There's more...

While some configuration is needed to enable some of the key OMS service offerings, such as the protection and recovery capabilities, as shown previously, the deployment requirements for onboarding to OMS are minimal because the underlying functionality is provided by services in Azure.

See also


Connecting sources without internet access to OMS

If you implement security policies that restrict computers in your corporate network (corpnet) from connecting to the internet, OMS has an HTTP forward proxy feature called the OMS Gateway that will enable you to still connect computers in your corpnet to OMS.

While the computers in your corpnet will have no connectivity to the internet, the OMS Gateway must have access to the internet, or be connected to a proxy server that does, so as to be able to forward data to the OMS service endpoints. The OMS Gateway supports HTTP tunneling using the HTTP CONNECT command. It collects data on behalf of the OMS agents deployed to the computers in your corpnet, and sends the data to OMS.

The following information will help you understand how to connect sources to OMS that have no connectivity to the internet.

Getting ready

At this time, the OMS Gateway supports the following connected sources scenarios:

  • Windows computers directly connected to an OMS workspace with the MMA
  • Linux computers directly connected to an OMS workspace with the OMS agent for Linux
  • SCOM agent-managed computers reporting to a management group that is integrated with OMS. The following SCOM versions are supported:
    • SCOM 2016
    • SCOM 2012 R2 with update rollup 3
    • SCOM 2012 SP1 with update rollup 7
  • Azure Automation Hybrid Runbook Workers

The OMS Gateway feature can also be made highly available using your existing enterprise hardware-based load balancers. To begin, you will need to download and install the OMS Gateway.

How to do it...

You will need to download the OMS Gateway setup file and use the file to install and configure the OMS Gateway. You can also configure high availability for the OMS Gateway using load balancing, if you wish.

Downloading the OMS Gateway setup file

You can download the latest version of the OMS Gateway setup file in one of three ways:

  1. Navigate to the following URI ( to obtain the setup file from the Microsoft Download Center
  2. Obtain the setup file from the OMS Portal:
    1. Sign into your OMS workspace
    2. Navigate to Settings | Connected Sources | Windows Servers
    3. In the resulting blade, click Download OMS Gateway:
Figure 1.5 Downloading OMS Gateway from the OMS portal
  1. You can download the OMS Gateway setup file from the Azure portal
    1. Sign in to the Azure portal
    2. Select Log Analytics from the list of services
    3. Select a workspace
    4. Under the General section in your workspace blade, click Quick Start.
    5. Under the Choose a data source to Connect to the Workspace, click Computers
    6. In the Direct Agent blade, click Download OMS Gateway
    7. Save the OMS Gateway.msi file:
Figure 1.6 Downloading OMS Gateway from the Azure portal

Installing the OMS Gateway

Use the following steps to install the OMS Gateway:

  1. Locate the OMS Gateway.msi file downloaded in the previous section
  2. Right-click the file and select Install
  3. Click Run on the security warning prompt, if any appear
  1. Click Next on the Welcome page:
Figure 1.7 OMS Gateway setup
  1. Select I accept the terms in the License Agreement in the End-user License Agreement page and click Next
  2. On the OMS Gateway Configurations page, do the following:
    1. Enter the port to be used for the server. The default port is 8080. You can enter any values that range from 1 through to 65535.
    2. Optionally, if the OMS Gateway server needs to communicate through a proxy to get to the internet, check the radio box to Use a proxy server and enter the proxy server information. If the proxy requires authentication, check the My proxy requires authentication radio box and enter the username and password information as well.
    1. Click Next to proceed:
Figure 1.8 OMS Gateway setup
  1. On the Destination Folder page, leave the default folder settings as C:/Program Files/OMS Gateway, or choose another folder to install the OMS Gateway on, and click Next.
  2. Click Install on the Ready to Install OMS Gateway page and select Yes if you receive a User Account Control (UAC) prompt.
  3. Click Finish after the setup has completed.

Check the list of services or use PowerShell to verify that the OMS Gateway service is installed and running:

Get-Service OMSGatewayService 
Figure 1.9 Verifying that the OMS Gateway service is running

How it works...

The OMS Gateway is simply an HTTP forward proxy that makes connections on behalf of clients through HTTP CONNECT tunneling. In this case, the OMS agent computer forwards its TCP connection to the OMS Gateway, which tunnels the TCP connection to the OMS service endpoints. This tunneling mechanism means that the data is sent directly from the OMS Gateway to the OMS endpoints without being analyzed.

The OMS Gateway can be used with both OMS agents that are configured to directly connect to an OMS workspace, and an Operations Manager (SCOM) management group that is integrated with OMS. With directly connected OMS agents, the data is sent to the OMS Gateway, which then transfers the data directly to OMS in the manner previously described. When configured for use with an SCOM management group, the proxy information defined for the management group is distributed automatically to every agent-managed computer that is configured as an OMS-managed computer, even if that setting isn't defined.

Depending on the solution(s) configured in OMS, the agent will then collect the relevant data and either send it to the management server or, in the case of high-volume data, such as performance metrics and security events, directly to the OMS endpoints via the OMS Gateway.

There's more...

You can configure the OMS Gateway for high availability through network load balancing (NLB). This will enable you to use the TCP/IP networking protocol to distribute traffic across two or more OMS Gateway servers. Using an NLB configuration will provide you with some measure of high availability and scalability for your OMS Gateway configuration. You can make use of any existing hardware-based load balancers that you use within your infrastructure, and the OMS Gateways configured as NLB hosts should support common NLB configurations, such as your preferred load-balancing algorithms (least sessions, round robin, fastest, and so on), persistence methods, and so on.

Ensure that your target server listening port adheres to the port configuration used during the installation of the OMS Gateway server(s).

You can also install the OMS agent on the computer configured as the OMS Gateway. This configuration will enable the following:

  • The OMS Gateway can identify the service endpoints that it needs to communicate with
  • The OMS agent can monitor and collect event and performance data from the OMS Gateway

Additionally, Operations Manager Gateway servers deployed in untrusted networks cannot communicate with the OMS Gateway. They can only report to an Operations Manager management server, and would therefore be subject to the proxy server settings (if any) configured for the management group to which the SCOM management server belongs.

For directly connected computers to send data to the OMS Gateway, they must have network connectivity to the OMS Gateway, and the agents' proxy configuration should be set to the same port used by the OMS Gateway to communicate with OMS service endpoints.

Using a proxy server to access OMS from SCOM

Perform the following steps:

  1. Open the SCOM console and navigate to the Administration workspace
  1. Navigate to Operations Management Suite, click Connection, and then click Configure Proxy Server:
Figure 1.10 - Configuring proxy server options in SCOM
  1. Select the option to Use a proxy server to access the Operations Management Suite and type either the IP address of the standalone OMS Gateway server or the virtual IP address of the array of load-balanced OMS Gateway servers
Figure 1.11- Configuring the proxy server in SCOM
Ensure that you start with the http:// prefix. Additionally, ensure that you bypass the HTTPS inspection if you need to permit access to OMS service endpoints through your firewalls.

Use PowerShell cmdlets with OMS Gateway

You can make use of PowerShell to review and modify the OMS Gateway configuration settings. The OMS Gateway PowerShell module should get imported in the OMS Gateway server(s) upon installation of the OMS Gateway feature. You can always verify this by importing the module to confirm:

Import-Module OMSGateway

Once you confirm that the OMS Gateway has been imported, you can also verify your OMS Gateway configuration for the listening port, log level, and other settings:

Figure 1.12 - Reviewing the OMS Gateway configuration

To make changes to the OMS Gateway configuration using PowerShell, you can make use of the Set-OMSGatewayConfig cmdlet. For instance, to change the port on which the OMS Gateway is listening, you can execute the following command:

 Set-OMSGatewayConfig -Name ListenPort -Value [port]   

In the preceding command, [port] is the integer value of your desired port on which the OMS Gateway listens.

At this time, the Set-OMSGatewayConfig cmdlet supports the following configuration names:

  • ListenPort
  • LogLevel
  • IncirporatedOMSSolution
  • UseIpv6
  • IncorporatedScomSupport

See also


Getting started with OMS

The following information will show you how to get started with OMS by setting up a Log Analytics workspace. There are several ways to create a Log Analytics workspace:

  • Create a workspace through the Microsoft OMS Overview page
  • Create a Log Analytics workspace in the Azure portal
  • Create and configure a Log Analytics workspace using Azure Resource Manager templates
  • Create and configure a Log Analytics workspace using Log Analytics PowerShell cmdlets

This section will focus on creating a Log Analytics workspace and onboarding through the Azure portal.

Getting ready

To get started with OMS Log Analytics, you will need to make use of an Azure account. If you don't have an Azure account, you can create a free account, which will give you access to the Azure service. This free account will be available for 30 days.

How to do it...

We can start the on-boarding process using the following steps:

Creating an Azure account

To create a free account, go through the following steps:

  1. Navigate to and follow the instructions to create your account. You will be able to make use of a work, school, or personal email account. You can also create a new Microsoft account that you can authenticate with Azure.
  2. Sign in and follow the instructions to create an account.

Creating an OMS Log Analytics workspace

Once you have access to the Azure service, you are ready to create your OMS Log Analytics workspace:

  1. Navigate to the Azure Portal ( and sign in.
  2. In the Azure Portal, click the New button and type Log Analytics in the marketplace search field. Select Log Analytics:
Figure 1.13 Log Analytics workspace
  1. Click the Create button and enter or select information for the following fields:
    • OMS Workspace: Enter a name for your workspace
    • Azure subscription: Select the Azure subscription that you would like to assign to your OMS Log Analytics workspace. You can change your OMS workspace Azure subscription at any time.
    • Resource group: You can choose to create a new resource group or use an existing one using the radio button. Select the existing resource group from the dropdown.
    • Location: Select the Azure region.
    • Pricing tier: Select a pricing tier that will govern the cost of your OMS Log Analytics workspace, and the solutions you use. You can choose from the following options:
      • Free
      • Per Node (OMS)
      • Per GB (Standalone)
      • Standard
      • Premium
A resource group is a container that holds related resources for an Azure solution.
Figure 1.14 - Creating Log Analytics workspace
  1. Click OK to finish creating your workspace.
  1. You can now filter for Log Analytics in the Azure portal to see your new OMS Log Analytics workspace.
  2. Click on your Log Analytics workspace. You can now review the settings and features for your workspace:
Figure 1.15 - Log Analytics workspace

Adding solution offerings and solutions

After creating the Log Analytics workspace, you can add solution offerings and management solutions to your workspace. Management solutions are collections of logic, data collection, and visualization rules that provide you with information that is pertinent to a particular problem area. Solution offerings are bundles of management solutions.

To add solution offerings and solutions through the Azure portal, go through the following steps:

  1. Navigate to the Azure portal and click the New button. Type the name of the solution you would like to add, such as Activity Log Analytics, into the marketplace search field and press Enter.
  1. Select Activity Log Analytics in the Everything blade, and click Create:
Figure 1.16 - Log Analytics solution offerings
  1. In the Activity Log Analytics blade, select the workspace you would like to associate with the management solution and click Create:
Figure 1.17 - Adding solution offerings to Log Analytics
  1. Repeat the preceding steps to add additional service offerings and solutions to your workspace.

From the marketplace, follow steps 1-3 to add the Security & Compliance service offering to your workspace to get the Antimalware Assessment and Security and Audit solutions. Additionally, you can add the Automation & Control service to get the System Update Assessment, Change Tracking, and Automation Hybrid Worker solutions:

Figure 1.18 - Adding Security and Compliance solutions
  1. After adding solutions to your workspace, you can view the management solutions by navigating to Log Analytics, clicking on your workspace name, and, in the Workspace blade, selecting Overview under Management:
Figure 1.19 - Viewing Log Analytics solutions

Once in the Overview page, you can see the solutions tiles for the solutions that you have added to workspace:

Figure 1.20 - Log Analytics solution tiles in Azure Portal
Alternatively, while in the workspace blade, you can click on OMS Portal to take you to the portal on the OMS website. We'll look at some operations that can be performed in the OMS portal in the following sections of this chapter and in subsequent chapters of this book.
Figure 1.21 - Log Analytics workspace in the OMS portal

Connecting Azure VMs to OMS Log Analytics in Azure portal

After adding solution offerings and solutions to your OMS workspace, you are now ready to connect sources to the workspace to start collecting some data. You can enable the VM extension to connect your Azure VMs to OMS Log Analytics:

  1. Navigate to and sign in to the Azure portal.
  1. Search for and navigate to Log Analytics and select your Log Analytics workspace
  2. In the Log Analytics blade, select Virtual machines under Workspace Data Sources
  3. Review the list of virtual machines and the OMS connection status for each virtual machine on which you would like to install the agent:
Figure 1.22 - Azure VMs connection to OMS
  1. Select the virtual machine that you would like to install the agent on, and in the details blade for the VM, select Connect. This will automatically install and configure the agent for your Log Analytics workspace:
Figure 1.23 - Connecting Azure VMs to OMS Log Analytics

After the agent is installed and connected, the OMS connection status for your workspace will reflect this:

Figure 1.24 - Azure VMs connected to OMS

Connecting Windows computers to OMS Log Analytics

As mentioned earlier, you can directly connect Windows computers to your OMS Log Analytics workspace. To do this, you will need to download the agent setup file from the OMS portal or the Azure portal, install the agent, and configure it for your workspace:

  1. Navigate to the Azure portal, select Log Analytics, and select your Log Analytics workspace
  2. In the Log Analytics workspace blade, select Quick Start, and under Choose a data source to connect to the workspace, select Computers:
Figure 1.25 - Onboarding Windows computers to Log Analytics
  1. In the Direct Agent blade, click the Download Windows Agent that applies to your computer processor type to download the setup file
  2. Save the setup file to your preferred directory
  1. In the Workspace ID and Keys fields, copy the Workspace ID and Primary Key values to a Notepad for use during direct agent installation:
Figure 1.26- Log Analytics Windows agents
  1. On the computer that you want to manage with OMS Log Analytics, run the setup file, and click Next on the Welcome page
  2. On the License Terms page, read the terms and click I Agree
  1. On the Destination Folder page, change or keep the default folder and click Next
  2. In the Agent Setup options page, select the Connect the agent to Azure Log Analytics (OMS) and click Next
  1. Paste the Workspace ID and Primary Key into the respective Workspace ID and Workspace Key fields, select your preferred Azure Cloud option (Azure Commercial is default) and click Next:
Figure 1.27 - Connecting the Windows Agent to the Log Analytics workspace
  1. On the Ready to Install page, review your choices and click Install
  2. Click Finish once the configuration completes successfully
  1. You will now see the Microsoft Monitoring Agent in the Control Panel of the agent computer. Open the properties of the agent, and under the Azure Log Analytics (OMS) tab you will now see a confirming status - The Microsoft Monitoring Agent has successfully connected to the Microsoft Operations Management Suite Service:
Figure 1.28 - OMS Log Analytics Windows Agent properties

Adding data sources in OMS

As mentioned previously, Log Analytics collects data from the connected sources that you define in your workspace and stores that data in the OMS data stores. The data sources you configure will define the data that is then collected from each connected source. Two data sources that you can start with are Windows events and performance data.

To add a Windows event log data source to OMS, go through the following steps:

  1. In the OMS console, click the Settings tile.
  2. In the Settings page, click on Data and select Windows Event Logs.
  3. In the Log Name field, type the name of an event log you would like to collect. Log Analytics will suggest common event log names based on your entry.
  1. Type your log name, or select from the suggestions, and click the + button to add the event log for collection:
Figure 1.29 - Log Analytics event log collection

Configuring performance data sources in OMS

OMS supports the collection of Windows and Linux performance counters.

Collecting Windows performance counters:

Perform the following steps:

  1. In the OMS console, click the Settings tile.
  2. On the Settings page, click on Data and click Windows Performance Counters.
  1. Click the Add the selected performance counters button to start collecting a list of suggested performance counters. You can uncheck any of the counters before adding the other selections:
Figure 1.30 - Log Analytics Windows performance counters
  1. Once the counters are added, review the counters and the sample collection intervals:
Figure 1.31 Log Analytics Windows performance counters and collection intervals
  1. Search for additional counters in the entry field, or use the Remove button next to the counter sample interval to remove any counters.

Collecting Linux performance counters:

Perform the following steps:

  1. In the OMS console, click the Settings tile.
  2. On the Settings page, click on Data and click Linux Performance Counters.
  1. Click the Add the selected performance counters button to start collecting a list of suggested performance counters. You can uncheck any of the counters before adding the other selections:
Figure 1.32 - OMS Log Analytics Linux performance counters

How it works...

To get started with OMS, set up a Log Analytics workspace. A workspace is a container and Azure resource in which data is collected, analyzed, and presented in a portal. It includes account information and simple configuration information for a given account. You can have multiple workspaces to manage different datasets. In order to create a workspace, you will need the following:

  • An Azure subscription
  • A name for your workspace
  • An Azure geographical region

You will also need to associate your workspace with an Azure subscription. A workspace can be used as a granular unit of management for specific workloads, functional teams, or other bases. A Log Analytics workspace provides you with the following:

  • Granularity for billing
  • Data isolation
  • Custom workload configuration
  • Geographic location flexibility for data storage

You can get started with OMS by creating a workspace using any of the following methods:

  • Create a workspace through the Microsoft OMS overview page
  • Create a Log Analytics workspace in the Azure portal
  • Create and configure a Log Analytics workspace using Azure Resource Manager templates
  • Create and configure a Log Analytics workspace using Log Analytics PowerShell cmdlets

You can subsequently view, administer, and configure your workspace through the user interface portals in either Azure or the OMS website.

Once you add solutions to your workspace and connect sources to the workspace, you can then define the data that gets collected from your connected sources by defining and configuring data sources for your workspace. The configured data sources determine the nature of the collected data. The following are some examples of data sources:

  • Windows event logs
  • Windows and Linux performance counters
  • Syslog
  • IIS and custom logs
For Windows event logs, Log Analytics will only collect events from the Windows event logs that you specify in your workspace. You will not, however, be able to manually add security events to your workspace. To collect security events, you will need to install the Security and Audit solution or the Security & Compliance solution, which includes the security solution.

The collected data is then stored in the OMS repository as a set of records, with each record type having a set of properties.

This collected data can then be queried using the log search feature to combine and correlate the data, and with the emphasis on particular workloads or problem areas using solutions, you can glean insights and take action on the information derived from the data. You can then further analyze the data using the various visualization capabilities in OMS.

Furthermore, you can manage accounts, users, and groups to have some measure of role-based access to your Log Analytics workspace. This can be done using Azure permissions, and in the OMS portal.

The Microsoft or organizational account that creates a workspace becomes an administrator of the workspace by default.

There's more...

In addition to the Insights & Analytics and Security & Compliance solutions described in the previous section, you can also add solutions for Automation & Control (Update Management, Change Tracking, Azure Automation Hybrid Worker), and Protection & Recovery (Azure Backup and Azure Site Recovery) to your OMS Log Analytics workspace.

Managing users in the OMS portal

Perform the following steps:

  1. Navigate to the OMS portal ( and sign in.
  2. On the Overview page, click the Settings tile.
  3. Click the Accounts tab and click Manage Users.

While in the Manage Users section, you can perform tasks such as adding and removing users and groups.

Adding a user or group to a workspace

Perform the following steps:

  1. In the Manage Users section, choose the account type to add. You can choose between an Organizational Account, Microsoft Account, or Microsoft Support.
  2. Choose the user type: Administrator, Contributor, or ReadOnly User.
  3. Choose whether the account is a User or Group.
  1. Enter the name of the account and click Add:
Figure 1.33 - Managing users in the OMS Log Analytics workspace
If you choose the Organizational Account type, when you enter part of the name of a user or group in the account field, a list of matching users and groups will appear in a drop-down box.

Editing or removing a user or group from a workspace

Perform the following steps:

  1. While still in the Manage Users section of the Overview | Settings page, locate the user or group you would like to edit or remove from the list of users/groups.
  1. Toggle to the relevant user or group type radio button to edit the user type, or click REMOVE next to the username you would like to remove:
Figure 1.34 - Editing users in the Log Analytics workspace

Considerations for other solution offerings

There are additional configurations required for adding the Automation & Control and the Protection & Recovery solutions respectively to your workspace, and for use with OMS.

Add Automation & Control Solution Offering to OMS

To add the Automation & Control solution, you must create an Automation account or select an existing Automation account. An Automation account is an Azure resource through which you can manage all of your Azure, cloud, and on-premises resources:

  1. Navigate to the Azure portal and click the New button. Type Automation & Control into the marketplace search field and press Enter
  2. Select Automation & Control in the Everything blade and click Create
  3. In the Create New Solution blade, click the OMS Workspace button and select your OMS workspace, and check the recommended solutions you would like to install and click the OMS Workspace Settings tab
  1. In the resulting blade, confirm your workspace, Azure Subscription, Location, Resource group, and Pricing tier information, and click Automation account
  1. In the Automation account blade, select an existing Automation account or click Create an Automation account:
Figure 1.35 - The Automation & Control solution
Creating the Automation account when you add the Automation & Control solution to your workspace establishes the integration with your OMS workspace, and enables you to install related management solutions into your workspace.
  1. In the Add Automation Account blade, enter the name of your Azure Automation account in the Name field, review the Subscription, Resource group, Location, and Azure Run As account creation options, and click OK:
Figure 1.36 - Adding Azure Automation Account
  1. After the deployments are complete, click OK in the OMS Workspace blade, and upon completion of the deployment, click Create in the Automation & Control blade to finish adding the Automation & Control solution to your workspace.

OMS data retention

When performing analytics against datasets, the duration of that data is an important consideration, as is its retention. OMS offers a variety of pricing tiers to suit your budget and needs, and the retention periods for the various OMS pricing tiers are very well defined. Remember that there are five pricing tiers that you can choose from for your workspace:

  • Free: On the free tier, data is retained for seven days
  • Per Node (OMS): Log Analytics makes the last 31 days of data available on this tier
  • Per GB (Standalone): Log Analytics makes the last 31 days of data on this tier available
  • Standard: On the standard tier, data is retained for 30 days
  • Premium: Data on the premium tier is retained for 365 days
When you use the OMS and Standalone pricing tiers, you can keep up to 2 years' worth of data (730 days). This is configurable from the Log Analytics Workspace settings in the Azure Portal. There is, however, a retention charge for data stored for more than the default 30 days.


The cost of your workspace depends on the pricing tier and the solutions you use. To use OMS entitlements and access all solutions, you can choose between the Per Node (OMS) and Free tiers. Various solutions are also offered in some of the other pricing tiers.

For instance, to use the Network Performance monitoring or Service Map solutions, which are part of the Insights and Analytics solutions, you can choose the Per Node (OMS) or Free tiers. Additionally, to use such solutions as Security and Antimalware (from the Security & Compliance solution) and Update Management and Change Tracking (from the Automation & Control solution) you can choose the Per Node (OMS) or Free pricing tier. Microsoft offers detailed Log Analytics pricing information and a calculator at

See also


Reviewing the collected data

After you connect sources to your workspace and define the type of data that will be collected from your connected sources through the data sources, Log Analytics will start to collect data based on these criteria and the solutions that you have installed in your workspace, and you will start to see the relevant data in your workspace.

How to do it...

You can start by reviewing the solution-specific data in your workspace:

  1. In the OMS console, review the solution tiles in your workspace that correspond to the solutions you have installed in your workspace.
  2. Click the Security And Audit solution tile to enter the Solution View page.
  3. Once on the page, Log Analytics will present you with a list of recommended alerts that relate to the solution. Click Enable alerts to enable the recommended alerts for the solution, and click Ok to close the Recommended alerts panel:
Figure 1.37 - Security & Audit solution dashboard
You can view and manage all of your alerting rules by navigating to Settings | Alerts.
Figure 1.38 - Log Analytics workspace overview page
  1. On the Security and Audit page, review the visualization elements that comprise the view of the solution. Also, note the common security queries tile that suggests queries for specific security and audit scenarios.
  2. Repeat steps 1-4 for any additional solutions in your workspace.
  3. From the OMS overview page, click Log Search.
  1. In the Log Search page, enter the search * character query into the search field and click Search:
Figure 1.39 - OMS Log Analytics log search

The query returns results that are displayed in the Query Results field. You will also see various data types and field values on the left side of the Log Search page:

  1. Click on the Perf data type on the left side of your screen to return performance data. Note that when you make this selection, the log search modifies the query search to reflect your selection.
  1. Click on the Table perspective to see a different view of the resulting dataset:
Figure 1.40 - Log Analytics performance data records

How it works...

Once data is collected in OMS, it is stored in the OMS data store as records. Records that are collected by the various data sources configured for a workspace will have unique properties, and will get tagged with a unique Type property that identifies that data record as being from a particular data source. For instance, Windows event log data, once collected in the OMS repository, will be assigned a tag of type Event. This means that in Log Analytics, you can search for non-security Windows event logs by specifying a query, such as Event, as the where condition for your filter. Similarly, performance counter data will get tagged as data of type Perf, and you can use the query Perf to filter for this sort of data.

All of the data collected in the OMS repository is tagged as such, and you can filter for any type of data once you know what the tag value, or type, of data it is. The OMS log search can enable you to further shape, filter, aggregate, and glean insights from your data. In the next chapter, you will learn how to use the OMS log search to glean insights from your data. You will also learn how to analyze and visualize your data using OMS and complementary tools.

See also

About the Author
  • Chiyo Odika

    Chiyo Odika is a author, consultant, strategist and thought leader who is passionate about data-driven management and architecture. Chiyo excels at helping clients think strategically about how to use technology to optimize the service delivery to the business, and to create fundamental business change and value. His current technology focus is cloud computing. He enjoys talking about hybrid cloud flexibility, exploring business technology trends, optimizing cloud infrastructures, and leading solution delivery teams.

    He has extensive experience in leading full lifecycle technology implementations of cutting-edge business solutions for a wide range of global clients and has championed initiatives from ideation to execution and delivery.

    His current technology focus is the Microsoft Cloud. He enjoys talking about hybrid cloud flexibility, and optimizing cloud infrastructures with Microsoft Azure, Windows Server, and Microsoft System Center, and about IT Service Management and process optimization.

    Browse publications by this author
Microsoft Operations Management Suite Cookbook
Unlock this book and the full library FREE for 7 days
Start now