13 Apr

Microsoft Operations Management Suite – powerful log analyzer in Azure (in 10 minutes for free)

Collecting and processing logs from all systems and network devices can be a nightmare for any systems admin. Searching through them and performing security audits can be a nightmare for security team if collector engine is not powerful enough to process queries in efficient time. Microsoft Operations Management Suite is interesting solution to answer both those problems and add much more analysis giving administrators visibility and control across on-premise and cloud installations.

Microsoft Operations Management Suite runs in Azure which means it’s extremely fast in processing the data. Millions of records are not problem for OMS so we can get Insights and Analytics of what is happening on our servers or workstations, detect and respond to threads or apply proper protection or even put in place some automation in controlling. It’s quick to setup and for many users it can be for free!

What is Microsoft Operations Management Suite?

Microsoft OMS is complex product so I won’t get into much details. Here are some key facts that everyone should know:

  • Microsoft OMS is fully hosted in Microsoft Azure. That means all collected data is stored on Azure but also computing power comes from Azure.
  • Agents run on endpoints like Windows and Linux operating systems and sends logs to central collector in Azure. It doesn’t matter if endpoint is in Azure, AWS, Google Cloud or on-premise installation.
  • But it also integrates with Azure services like Azure Automation or Azure Site Recovery
  • OMS do not accept “raw” syslog from devices, it always must go via agent.
  • It automatically scales with number of devices connected and logs processed
  • There is no need for an administrator to manually install latest features or security updates

The core OMS service is Log Analytics.

Microsoft Operations Management Suite Log Analytics Architecture

The diagram is from Microsoft OSM documentation

All collected data is stored in Azure in OMS Repository. This is internal storage not connected to your other Azure account. To send logs to OSM we need to install Agents on Windows and Linux systems. If we user SCOM solution in on-premise installation then we need no extra agents – SCOM Management Server will communicate to Log Analytics directly.

Management Solutions are adding more features to OMS providing us tools for better monitoring and auditing.

Microsoft Operations Management Suite Solutions

Microsoft Operations Management Suite Solutions

There are many services available now and Microsoft promise more to come.

Can such complex and powerful tool be available for free?

The more you look into OMS documentation you will start asking yourself such question. The answer is: yes, but of course with some limitations.

The Free tier let us upload 500MB of logs daily and OSM will keep them for 7 days. That may be lot of data or not depending on your network and number of connected sources. But often that might be enough for SMB companies. If you need more that Standalone tier is for you – you pay then only for data uploaded over Free tier limit daily and you get longer data retention window.

In OSM Tier pricing is per connected node and per feature used by nodes. Please refer to documentation for details

Microsoft Operations Management Suite Solutions Pricing model

Microsoft OMS Pricing model

How to start your journey with Microsoft OSM?

Setting up Microsoft OSM service and connecting at least one source takes about 10 minutes.

  1. Go to https://microsoft.com/oms
  2. Log into your Microsoft account
  3. Click “OK” to create Microsoft Operations Management Suite workspace
  4. Pick a name for the workspace – your workspace will be accessible via URL https://<workspace_name>.portal.mms.microsoft.com
  5. Select region where you want it to run, fill personal data, accept agreement and click “CREATE”
  6. You can connect OMS to your existing Azure subscription (or create new one). By selecting “Not Now” option you will process to free trial.

When we finish creating the portal we need to configure sources to send logs to OMS. If we use Windows or Linux servers or workstations we need to add OMS Agents that will collect and send logs to OMS Log Analytics. On dashboard select “Settings” blade and then select “Connected Sources”. By selecting either “Windows” or “Linux” option we get redirected to blade where we can download agent binaries. Those are right now available on x86 or x64_86 platforms which means it cannot be run on ARM processors used by many IoT devices like RaspberryPi.

It’s easy to install agents on both operating systems (don’t forget to install all dependent packages first on Linux, you can find list in agent documentation). Only input required from us is WORKSPACE ID and PRIMARY KEY which are easy to copy from text boxes. Agents are using port tcp/25226 to connect to Log Analytics so don’t forget to whitelist it on firewall if required.

Browsing through the logs

After few minutes, we will see our devices registered and logs collected. Volume of logs depends on logging level and how we use those servers. When agents send first logs, we can select “Log Search” blade and start running queries. You can start from predefined “All Collected Data” and then move to other, more specific ones.

Sample logs collected by Microsoft Operations Management Suite Solutions

Sample logs collected by Microsoft OSM

When you collect some more data from agents, you can start playing with other Solutions

Usage monitoring

One last thing you should control is usage of your plan, especially if you are Free Tier customer. On Dashboard, you will find “Usage” blade that contain all required information. Most important in Free Tier is data volume we are using over the time.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.