1
00:00:01,040 --> 00:00:02,390
Alright, let's do this.

2
00:00:02,390 --> 00:00:03,530
In this demonstration,

3
00:00:03,530 --> 00:00:07,270
we'll work with configuring off‑cloud and on‑cloud

4
00:00:07,270 --> 00:00:09,650
machines for monitoring within Azure.

5
00:00:09,650 --> 00:00:12,210
I'm going to focus specifically on Log Analytics.

6
00:00:12,210 --> 00:00:15,590
Alright, so let's open up the portal, jump in here,

7
00:00:15,590 --> 00:00:18,930
and I'm going to start by going to my Log Analytics workspace.

8
00:00:18,930 --> 00:00:21,900
Now how many workspaces you need in your organization?

9
00:00:21,900 --> 00:00:23,750
I would say start with one.

10
00:00:23,750 --> 00:00:26,310
Start with two if you're going to use Azure Sentinel.

11
00:00:26,310 --> 00:00:28,540
Sentinel needs its own workspace.

12
00:00:28,540 --> 00:00:29,100
From there,

13
00:00:29,100 --> 00:00:32,690
it's going to be a question of whether you need to silo monitoring data.

14
00:00:32,690 --> 00:00:35,940
I just have one workspace here in my subscription,

15
00:00:35,940 --> 00:00:40,450
and I want to start by coming down under Workspace Data Sources,

16
00:00:40,450 --> 00:00:41,580
Virtual Machines,

17
00:00:41,580 --> 00:00:45,410
and what this will do is enumerate all Windows and Linux virtual

18
00:00:45,410 --> 00:00:48,220
machines across all regions and subscriptions.

19
00:00:48,220 --> 00:00:50,840
It's going to be a tenant‑wide view,

20
00:00:50,840 --> 00:00:55,150
and to connect an Azure VM to the workspace from here

21
00:00:55,150 --> 00:00:59,080
is just as easy as selecting the VM, clicking Connect,

22
00:00:59,080 --> 00:01:03,490
and Azure deploys the Log Analytics agent to that machine.

23
00:01:03,490 --> 00:01:04,300
Alright.

24
00:01:04,300 --> 00:01:07,380
You also could create a reference during deployment,

25
00:01:07,380 --> 00:01:08,840
like I mentioned earlier,

26
00:01:08,840 --> 00:01:14,140
in your ARM template or your bicep script to inject and onboard the machine.

27
00:01:14,140 --> 00:01:18,640
There is just, there is no one really canonical way to go.

28
00:01:18,640 --> 00:01:23,520
Now can a machine report to more than one Log Analytics workspace?

29
00:01:23,520 --> 00:01:25,220
As of this recording, yes,

30
00:01:25,220 --> 00:01:29,810
but only Windows can do multi‑homing and you configure that in Control Panel,

31
00:01:29,810 --> 00:01:31,600
which I'll show you momentarily.

32
00:01:31,600 --> 00:01:34,570
Alright, so this is for Azure virtual machines.

33
00:01:34,570 --> 00:01:39,540
Now, if you've historically been using the Azure Diagnostics extension,

34
00:01:39,540 --> 00:01:43,640
you have all of your diagnostic stuff in storage accounts.

35
00:01:43,640 --> 00:01:47,210
You can still capitalize on that historical data here.

36
00:01:47,210 --> 00:01:50,680
Notice that there is an entry for Storage account logs.

37
00:01:50,680 --> 00:01:55,960
So you can onboard storage accounts and pull that log data directly from

38
00:01:55,960 --> 00:02:00,130
there and then report on it singly in Log Analytics,

39
00:02:00,130 --> 00:02:02,420
which I think is really fantastic.

40
00:02:02,420 --> 00:02:03,640
Similarly,

41
00:02:03,640 --> 00:02:07,150
your System Center Operations Manager and System Center

42
00:02:07,150 --> 00:02:10,750
Config Manager Management Groups, you can onboard those,

43
00:02:10,750 --> 00:02:15,340
it's actually operations manager and take advantage of that

44
00:02:15,340 --> 00:02:19,420
historical data in an off‑cloud on‑premises environment.

45
00:02:19,420 --> 00:02:24,740
Now, next, let's go up to Settings, Agents management,

46
00:02:24,740 --> 00:02:27,960
and this is where we can download the Windows agent,

47
00:02:27,960 --> 00:02:33,040
as well as Linux agent, and there are some instructions here.

48
00:02:33,040 --> 00:02:37,630
The bottom line is you want to make sure to provide the workspace ID for

49
00:02:37,630 --> 00:02:41,770
your workspace and either the primary or secondary key.

50
00:02:41,770 --> 00:02:45,890
Now these keys you should regenerate regularly because they're sensitive

51
00:02:45,890 --> 00:02:50,040
and they're displayed here in the portal in plain text.

52
00:02:50,040 --> 00:02:55,550
The Log Analytics Gateway is simply a Windows service that acts as a proxy.

53
00:02:55,550 --> 00:02:59,370
So this is the solution to the problem where you have on‑premises

54
00:02:59,370 --> 00:03:02,790
machines that are behind special network restrictions.

55
00:03:02,790 --> 00:03:06,310
As long as they can communicate with the Log Analytics Gateway

56
00:03:06,310 --> 00:03:08,740
on‑prem that can get out to the internet,

57
00:03:08,740 --> 00:03:12,840
that gateway can forward the Log Analytics client data,

58
00:03:12,840 --> 00:03:17,440
the log, whatever you configure here under Agents configuration,

59
00:03:17,440 --> 00:03:19,290
will send it into the workspace.

60
00:03:19,290 --> 00:03:22,610
And then here under Agents configuration,

61
00:03:22,610 --> 00:03:26,110
you specify what event logs and the verbosity of the

62
00:03:26,110 --> 00:03:27,900
logs that you want to capture,

63
00:03:27,900 --> 00:03:32,440
performance monitor counters and their associated sample rate.

64
00:03:32,440 --> 00:03:35,440
You can do the same thing for Linux machines.

65
00:03:35,440 --> 00:03:38,740
Again for Linux, there are Syslog data sources,

66
00:03:38,740 --> 00:03:41,560
and then for IIS, Windows and Linux,

67
00:03:41,560 --> 00:03:46,540
you can collect W3C IIS log files from those machines.

68
00:03:46,540 --> 00:03:49,580
So that's the extent of the configuration there.

69
00:03:49,580 --> 00:03:51,610
Let me minimize the browser here.

70
00:03:51,610 --> 00:03:55,640
I'm pretty sure I've already installed the monitoring agent on this machine.

71
00:03:55,640 --> 00:03:57,670
We'll find out when I click Next.

72
00:03:57,670 --> 00:03:59,740
Yes, it says Repair.

73
00:03:59,740 --> 00:04:02,160
It's just basically a Next, Next, Finish.

74
00:04:02,160 --> 00:04:04,360
The only thing it'll ask you for that you'll need,

75
00:04:04,360 --> 00:04:08,640
as I said before, is you'll need to paste in the workspace ID,

76
00:04:08,640 --> 00:04:13,340
as well as either the primary or the secondary API key.

77
00:04:13,340 --> 00:04:18,240
On Windows, you'll then want to go into the old fashioned Control Panel,

78
00:04:18,240 --> 00:04:23,940
not the newer Settings application, and go to Microsoft Monitoring Agent,

79
00:04:23,940 --> 00:04:27,380
and here, we have what I already told you about,

80
00:04:27,380 --> 00:04:29,080
a reference to OMS.

81
00:04:29,080 --> 00:04:31,640
This is actually Log Analytics,

82
00:04:31,640 --> 00:04:36,040
and this is where you can multi‑home a Windows server system.

83
00:04:36,040 --> 00:04:39,760
Right now, I'm already connected to my workspace,

84
00:04:39,760 --> 00:04:41,610
but I can add an additional one.

85
00:04:41,610 --> 00:04:43,060
Why would I want to do this?

86
00:04:43,060 --> 00:04:46,760
Well, for example, I might want this machine to report,

87
00:04:46,760 --> 00:04:51,840
not only to my Log Analytics workspace for infrastructure monitoring,

88
00:04:51,840 --> 00:04:55,030
but I might have a separate workspace that's associated with

89
00:04:55,030 --> 00:04:57,860
Azure Sentinel for security specific monitoring,

90
00:04:57,860 --> 00:04:58,640
you see.

91
00:04:58,640 --> 00:04:59,990
So that is that.

92
00:04:59,990 --> 00:05:01,940
So far so good, right.

93
00:05:01,940 --> 00:05:05,090
I had mentioned that for a deeper integration between

94
00:05:05,090 --> 00:05:08,220
off‑cloud machines and Azure Resource Manager,

95
00:05:08,220 --> 00:05:09,420
there is Azure Arc.

96
00:05:09,420 --> 00:05:12,540
So let's go over to Azure Arc Servers.

97
00:05:12,540 --> 00:05:16,080
I have a couple of my on‑premises machines already connected.

98
00:05:16,080 --> 00:05:21,040
Let's click Add, and I'm going to generate a script for a single server here.

99
00:05:21,040 --> 00:05:25,390
So what we're going to do is wind up creating a resource in our Subscription

100
00:05:25,390 --> 00:05:29,010
and Resource group hierarchy for this off‑cloud machine.

101
00:05:29,010 --> 00:05:32,540
We provide a Azure region that's associated and what

102
00:05:32,540 --> 00:05:35,040
operating system we're dealing with.

103
00:05:35,040 --> 00:05:38,480
We could communicate with the remote machine for

104
00:05:38,480 --> 00:05:41,460
Azure Arc using a private endpoint.

105
00:05:41,460 --> 00:05:45,740
I'm going to do the public over the internet, though, with HTTPS.

106
00:05:45,740 --> 00:05:49,740
We've got some taxonomic tags, I'll leave all that at the default,

107
00:05:49,740 --> 00:05:53,140
and then I'll download the onboarding script,

108
00:05:53,140 --> 00:05:56,190
which as you can see, it shows you what's going on here,

109
00:05:56,190 --> 00:06:00,220
basically it's just opening up a web request to pull down a

110
00:06:00,220 --> 00:06:05,200
Bootstrapper that then orchestrates the installation of what's

111
00:06:05,200 --> 00:06:07,320
called the Connected Machine Agent.

112
00:06:07,320 --> 00:06:11,250
Remember that for your AZ‑801 exam, okay?

113
00:06:11,250 --> 00:06:13,590
It's called the Connected Machine Agent,

114
00:06:13,590 --> 00:06:17,380
and that's specifically for Azure Arc for Servers or

115
00:06:17,380 --> 00:06:20,140
Arc enabled servers technically.

116
00:06:20,140 --> 00:06:25,020
So now let me open up an elevated Windows PowerShell console,

117
00:06:25,020 --> 00:06:31,230
and I'll go into Downloads and verify that it's there.

118
00:06:31,230 --> 00:06:32,340
Let's see.

119
00:06:32,340 --> 00:06:33,790
Onboarding script, right.

120
00:06:33,790 --> 00:06:38,340
Well let me Get‑ExecutionPolicy Bypass so it'll work.

121
00:06:38,340 --> 00:06:44,030
I'll do .\OnboardingScript.ps1 and it's going to give

122
00:06:44,030 --> 00:06:47,410
us verbose output here by default, which is cool.

123
00:06:47,410 --> 00:06:50,570
It's going to pause and ask us to sign in because,

124
00:06:50,570 --> 00:06:51,020
of course,

125
00:06:51,020 --> 00:06:54,280
we don't want to give anybody the ability to onboard

126
00:06:54,280 --> 00:06:57,120
an off‑cloud VM into Azure Arc,

127
00:06:57,120 --> 00:06:59,890
so we're going to need specific role‑based access

128
00:06:59,890 --> 00:07:02,540
control authorization to do so,

129
00:07:02,540 --> 00:07:07,340
and we'll use a device code based flow in just a moment.

130
00:07:07,340 --> 00:07:18,000
Here we go. So let me copy that code in and let me point my browser to aka.ms/devicelogin.