This blog post will start off a series of blog posts about Operations Management Suite (OMS or Log Analytics) which is as the latter name suggests is a log analytics engine that ingests events from data sources that you provide and provides a very nice searchable interface where you can do auditing on your infrastructure where ever it is.
OMS/Log Analytics is an Azure service solution that provides out of the box data source analytics without any hassle or software configuration. Plainly said it just works as long as you en-roll your servers and configure it what to collect / monitor. Think of this service as a System Center Operations Manager add-on (NOT a replacement) that provides you the capability of security auditing, change tracking, AD Configuration / Monitoring, Network flow and so on. This service existed a long time ago in another form and some of you may remeber System Center Advisor which was a configurable option in your SCOM instance that provided a type of baseline best practice analysis for your Windows Servers, SQL instances and Active Directory Servers.
After some time and a less that ideal adoption rate of the service Microsoft decided that it’s not on par with market demand and will re-launch the product. From my point of view, the cause of less than ideal adoption was because this was happening in an “era” where people were not the the best terms with the “cloud”. After some time of re-thinking the solution, Microsoft re-launched the service under a new name, new engine with new capabilities that targeted something that System Center Operations Manager couldn’t do with ease (some of you may know that creating event based monitoring on SCOM is a pain in the backside.) and Log Analytics/OMS was re-born
Now at this moment Log Analytics doesn’t replace System Center Operations Manager and from my point of view it will not be able to replace it very soon. This SaaS offering is basically a supplemental type of monitoring solution that can be used to monitor your cloud instances (Azure, AWS, Google, on-premise services), Office 365 tenant, Azure Automation, Azure Backup and a lot more are coming while others are in preview.
In order to start to use OMS, you first need to go to your Azure Subscription and provision a Log Analytics service. After that login to your freshly deployed instance and go to data sources where you will be able to download 32 bit and 64 bit versions of the on-premise agent for Windows and Linux. There you will also find the workspace id and key which you will need when you’re enrolling your on-premise servers.
Once provisioned, you will be able to login from the Azure Portal and you will be greeted with a general overview dashboard and from there you will be able to enroll your on-premise servers or Azure/AWS compute instances for data ingestion, set up alerts, create specific dashboards, monitor your usage and see your estimated cost (if applicable) or add solutions from the solution gallery.
In the screenshot down below, you can see how many solutions are available for use in the Solutions Gallery.
You may think that the solutions gallery doesn’t contain many things that may be of interest for you but do remember that this is not a replacement for your traditional monitoring solution. It will get there some time but not right now.
The more solutions you deploy means that OMS will be receiving and aggregating a lot of data from your systems and that data may be of some use to you for security audits, change tracking or your regular event log searching for RCAs, and for that Log Analytics gives you the power of querying that data using a query language that’s documented here – https://azure.microsoft.com/en-us/documentation/articles/log-analytics-log-searches/ –
In OMS you can set up alerts based on specific queries which is something you can do in System Center Operations Manager but for that you need to either create a monitor or rule whereas here you just need to setup a specific query and then create the alert which is by far the simplest way you can get an alert for.
Now that we know a little about OMS, then how can we start using it and how much it costs?
Cost wise, Log Analytics has three plans:
1. Free Plan – This plan is good for starting low and playing with OMS without adding a cost. This plan can work with small deployments on a long term but it has some limitations. You have a limit of 500MB of data that can be ingested and the retention period is for 7 days. Once you reach the 500MB daily limit then OMS stops ingesting data and will resume after the day has passed.
2. Standard Plan – This plan doesn’t limit your data ingestion but it will start charging you for each gigabyte of data you send to OMS. The retention period of this plan is 30 days.
3. Premium Plan – This plan is the most expensive plan that’s in the offering and the only difference is that it will retain your data for 12 months which can be very good for doing audits and monitoring baselines.
Azure/AWS Compute Instances Windows or Linux can also be enrolled in Log Analytics and the fun part is that Azure VMs can also be enrolled during the provisioning process by using an ARM template (I will write a short blog post at a later date about how you can do that).
Well I hope this small introduction was of use 🙂
Have a good one!