1
00:00:01,540 --> 00:00:04,480
[Autogenerated] now I had mentioned with Azure arc that you

2
00:00:04,480 --> 00:00:07,170
need the connected machine agent and then I mentioned

3
00:00:07,170 --> 00:00:09,500
something called the log analytics agent.

4
00:00:09,500 --> 00:00:10,420
The onboard.

5
00:00:10,420 --> 00:00:15,660
An Azure VM or non Azure VM for monitoring within Azure and also to use

6
00:00:15,660 --> 00:00:19,370
some of the Azure based configuration management products.

7
00:00:19,370 --> 00:00:23,950
Well this is a bit confusing unfortunately Microsoft has a penchant for

8
00:00:23,950 --> 00:00:27,660
naming and renaming and re re naming their products.

9
00:00:27,660 --> 00:00:33,280
So honestly on your exam your A C 801 I'm not sure what

10
00:00:33,280 --> 00:00:35,150
nomenclature you'll actually see.

11
00:00:35,150 --> 00:00:40,260
So let me give it all to you, the Microsoft monitoring agent or Emma for short,

12
00:00:40,260 --> 00:00:44,870
also called the Azure Monitor Agent also called the log analytics agent.

13
00:00:44,870 --> 00:00:46,870
Also called the M.

14
00:00:46,870 --> 00:00:47,140
S.

15
00:00:47,140 --> 00:00:52,380
Agents are all synonyms for an MSI Windows installer package that on

16
00:00:52,380 --> 00:00:57,220
boards that Azure or non Azure machine to work with the log analytics

17
00:00:57,220 --> 00:01:01,680
platform and log analytics is the main telemetry log aggregation

18
00:01:01,680 --> 00:01:04,020
monitoring platform in Microsoft.

19
00:01:04,020 --> 00:01:07,940
Azure Okay, now if you've worked with Azure VMS for awhile,

20
00:01:07,940 --> 00:01:11,470
particularly since before log analytics came around,

21
00:01:11,470 --> 00:01:14,630
there was the Azure diagnostics extension that you would

22
00:01:14,630 --> 00:01:18,970
enable on your Azure VMS to gain access to the event logs

23
00:01:18,970 --> 00:01:20,640
and performance monitor counters.

24
00:01:20,640 --> 00:01:20,950
Well,

25
00:01:20,950 --> 00:01:24,760
that's really the Azure diagnostics extension really isn't

26
00:01:24,760 --> 00:01:29,550
necessary nowadays in the Azure world because we can capture just

27
00:01:29,550 --> 00:01:33,780
about anything you want from the VM using the Microsoft monitoring

28
00:01:33,780 --> 00:01:35,740
agent but it is still available.

29
00:01:35,740 --> 00:01:38,070
It's called guest os diagnostics.

30
00:01:38,070 --> 00:01:43,260
Can you enable both the log analytics agent and the Azure diagnostics extension?

31
00:01:43,260 --> 00:01:47,360
Yes you can I talk to Microsoft about that a couple of years ago and

32
00:01:47,360 --> 00:01:51,800
they claim that neither agent is particularly resource intensive but

33
00:01:51,800 --> 00:01:55,390
they did admit that there's going to be some overlapping duties if you

34
00:01:55,390 --> 00:01:57,540
have both extensions installed.

35
00:01:57,540 --> 00:02:03,030
I created this conceptual diagram of Azure log analytics using lucid chart.

36
00:02:03,030 --> 00:02:05,940
My favorite diagramming tool and the promise of log

37
00:02:05,940 --> 00:02:08,410
analytics is to give you a single pane of glass,

38
00:02:08,410 --> 00:02:09,990
so to speak for your monitoring.

39
00:02:09,990 --> 00:02:15,640
So we've got an Azure other clouds, your local data center enterprise,

40
00:02:15,640 --> 00:02:18,880
you've got resources that are emitting log data,

41
00:02:18,880 --> 00:02:20,080
what is logged data.

42
00:02:20,080 --> 00:02:23,320
Well normally a log is going to record events and windows,

43
00:02:23,320 --> 00:02:27,790
you've got your event log and then you also have time sampled metric data.

44
00:02:27,790 --> 00:02:29,830
Think of performance monitor counters.

45
00:02:29,830 --> 00:02:31,990
Now those are also persisted in logs.

46
00:02:31,990 --> 00:02:36,670
Those logs maybe in any number of different data representation formats.

47
00:02:36,670 --> 00:02:42,030
XML CSV proprietary Doesn't matter though because the bottom line

48
00:02:42,030 --> 00:02:46,800
is if you can get those resources to send their logs into log

49
00:02:46,800 --> 00:02:50,420
analytics which is an Azure resource that can be looked at as a

50
00:02:50,420 --> 00:02:53,380
massively scalable data warehouse.

51
00:02:53,380 --> 00:02:58,310
Log analytics can ingest those logs from the various sources and convert

52
00:02:58,310 --> 00:03:02,740
them into what look and act like database tables with columns and rows

53
00:03:02,740 --> 00:03:07,780
and yes there is a custom log model where you for instance can have your

54
00:03:07,780 --> 00:03:12,480
line of business application logs ingest those into log analytics as well

55
00:03:12,480 --> 00:03:16,750
and you can structure the resulting log analytics virtual table check the

56
00:03:16,750 --> 00:03:20,140
exercise files because I give you a link to that if you're interested.

57
00:03:20,140 --> 00:03:22,920
So the idea is that once you've got your resources

58
00:03:22,920 --> 00:03:25,750
sending their log data into log analytics,

59
00:03:25,750 --> 00:03:29,860
you have this query language Microsoft developed called Cousteau Query

60
00:03:29,860 --> 00:03:36,050
language Kustok QL that is reminiscent of structured query language SQL it's

61
00:03:36,050 --> 00:03:40,890
reminiscent of the Splunk search language where you can write queries against

62
00:03:40,890 --> 00:03:46,420
any combination of those tables you will seek que que el on most of the Azure

63
00:03:46,420 --> 00:03:52,590
exams including potentially a C 801 so I'll make sure to do a bit more with

64
00:03:52,590 --> 00:03:54,400
cake ul in my demos.

65
00:03:54,400 --> 00:03:57,460
But the great promise here is that once you've learned cake

66
00:03:57,460 --> 00:04:01,810
ulu then can unlock rich reporting and alerting across your

67
00:04:01,810 --> 00:04:03,360
hybrid cloud infrastructure.

68
00:04:03,360 --> 00:04:07,030
It's a very nice thing and you'll also find in the Azure ecosystem

69
00:04:07,030 --> 00:04:10,440
that cake ul crops up in other related contexts.

70
00:04:10,440 --> 00:04:12,930
For example, there's application insights,

71
00:04:12,930 --> 00:04:16,070
that's the Azure application performance monitoring or a

72
00:04:16,070 --> 00:04:20,700
PM tool and you use cake well in there, if you're familiar with Azure sentinel,

73
00:04:20,700 --> 00:04:24,950
the security platform threat hunting capability and Azure sentinel is

74
00:04:24,950 --> 00:04:28,480
powered by cake within Azure resource manager itself,

75
00:04:28,480 --> 00:04:30,990
there's the resource graph that's responsible for

76
00:04:30,990 --> 00:04:33,190
indexing all of your resources.

77
00:04:33,190 --> 00:04:35,400
Again, que que el to the rescue.

78
00:04:35,400 --> 00:04:43,000
So this is a query language that you definitely want to learn even if you weren't a Microsoft certification candidate