Overview on Azure Monitoring-Part4-Virtual Machines

This is the fourth part of the post series about the Azure cloud monitoring options for telemetry data. Here the topic is:

Find the other parts under:

Virtual machines data

VMs often play a central role in a cloud environment. When monitoring these, performance counters such as CPU or RAM usage are interesting, of course. But there quite a few more data options to collect from a virtual machine:

  • Performance counters
  • Boot diagnostics
  • Event Logs (Windows)
  • Sys Logs (Linux)
  • Crash dumps
  • Network traffic

The Event or Sys Logs are very important for further evaluation in security solutions such as the Azure Securtiy Center or Azure Sentinel.

VM Monitoring Agents

If telemetry data from virtual machines should be collected, the overview can be quickly lost here because of different needed agent software installations. There are currently 5 different software modules (agents) available to capture system logs, process information, or network traffic.

The agents have differences regarding the data they send, but they are also overlapping on the other side. Some work only on Azure and some also on-premises, natively or via Azure Arc.

Log Analytics agent

  • Sends data to the Log Analytics Workspace. Used for Update Management, Change Tracking, State configuration, Security Center, Azure Sentinel

Azure Monitor agent (preview)

  • Sends data to Azure Monitor. Used for Log collection and performance tracking

Diagnostics extension

  • Sends data to Storage, Az Monitor Metrics, Event Hub. Used to view logs, crash dumps, IIS logs

Dependency agent

  • Uses the log analytics Agent to send data. Used to view processes on a VM, external process dependencies or network metrics

Telegraf agent (Linux)

  • Sends data to Azure Monitor Metrics. Used for performance tracking

Typically, a Log Analytics Workspace Agent is used at the moment, which is planned to be replaced by the Azure Monitor agent (currently in preview)

More detailed descriptions can be found at agents-overview

To have an overview how the VM monitoring can look like in a system architecture, see following picture:

VMs can be monitored (with Agent installed) on their own, regardless they are in the cloud or on-premises. Also an integration over a SCOM installation is possible and data from a collecting storage account (e.g. boot diagnostics) can be integrated “back” to the Log Analytics Workspace again.

Agent installation:

There are several options to install the agent software on the virtual machines:

  • Manually via the installation packages
  • With Azure Policy
  • Via auto provisioning setup in the Azure security center (uses Deploy if not exists policy under the hood)
  • With DSC configuration
  • Through an activated virtual machine extension

For more detailed information including requirements on network, firewall and proxy configuration check:


Regardless which option was chosen for installation, the Agents must be configured to be able to send the data to the workspace. To accomplish that, the workspace ID and the key is required, which can be found in the Agents management section of the workspace resource:

Previous part

Next part

Leave a comment

Your email address will not be published. Required fields are marked *