Azure Monitor Agent (AMA) vs Log Analytics Agent (part 3) – How to ingest logs

The initiative:

  • [Preview]: Configure machines to create the user-defined Microsoft Defender for Cloud pipeline using Azure Monitor Agent
    mentioned in part 1 contains from the following policies:
  • [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines
  • Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
  • Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
  • [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent
  • [Preview]: Configure supported Windows machines to automatically install the Azure Security agent
  • [Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
  • [Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule
  • Configure Linux Arc-enabled machines to run Azure Monitor Agent
  • Configure Windows Arc-enabled machines to run Azure Monitor Agent
  • [Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent
  • [Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent
  • [Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
  • [Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

So you see at least two about creating Data Collection Rule:

  • [Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule
  • [Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

And you notice in Monitor | Data Collection Rules that for Windows and only for Windows the Data Collection Rule has been created. But how is it looks like:

So no logs are gathered. Select what you would like to ingest, by checking the appropriate check boxes:

and finally check Event table in Log Analytics workspace:

You can also add Data Collection Rules for Linux just there are not added automatically like for Windows.