Azure Monitor Agent (AMA) vs Log Analytics Agent (part 1)

One point of security, covered also by Defender For Cloud is install Log Analytics (LA) on all workloads that uses Virtual Machines (e.g. starting from Cloud Services to the ending to normal VM). It was clear as far we have one Agent, but currently we have two chooses:

  • Azure Monitor Agent (AMA) – some features are in preview
  • Log Analytics Agent (Legacy Agent)

The legacy Log Analytics agent will be deprecated by August 2024. Migrate to Azure Monitor agent before August 2024 to continue ingesting data.

So not so much time to go to the Azure Monitor Agent, but always get confirmation (from Microsoft) that your intentions, are not against the PREVIEW functionality and remember:

“Remember that you SHALL NEVER use non-GA services and features for production workloads. The purpose of Private and Public Preview is only for evaluation purposes only. Except for the lack of SLA and formal support, there might be other issues that were not yet discovered or fixed. Think about the #ChaosDB vulnerability, which was caused by a CosmosDB feature that was in Public Preview.” More info.

To install the old Log Analytics Agent (Legacy Agent) we can use the following:

We can use also embedded Azure Polices like:

  • Deploy Log Analytics extension for Linux VMs. See deprecation notice below
  • Deploy – Configure Log Analytics extension to be enabled on Windows virtual machines
  • Windows machines should have Log Analytics agent installed on Azure Arc
  • Configure Log Analytics extension on Azure Arc enabled Windows servers

Let’s move to the new Azure Monitor Agent (AMA). For install the following extensions:

  • AzureMonitorLinuxAgent (version 1.15)
  • AzureSecurityLinuxAgent (version 2.0)
  • AzureMonitorWindowsAgent (version 1.2)
  • AzureSecurityWindowsAgent (version 1.0)

You can use only one Policy Initiative named:

  • [Preview]: Configure machines to create the user-defined Microsoft Defender for Cloud pipeline using Azure Monitor Agent

If you previously used Legacy Log Analytics Agent – there is official migration path. You can also install new agent (using policies). Installation on Windows VM looks like (first Log Analytics Agent the second Azure Monitor Agent):

Whats happen than, the two Log Analytics agent will working and send the data to the two Log Analytics Workspace, of course if the different one has been configured for Azure Monitor Agent and Log Analytics Agent.

Finally You can query against them (The first is the Log Analytics Agent, the second is Azure Monitor Agent – observe the Version column):

 

How to detect if Azure Monitor Agent is working, just check if MonAgentCore.exe

 

If you deal with the Azure Policies and you would like to Invoke Azure Policy Evaluation you can invoke the following API (even via GUI, just there is API Explorer):

https://docs.microsoft.com/en-us/rest/api/policy/policy-states/trigger-resource-group-evaluation

Azure Monitor Agent docs:

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview