I have noticed that no matter what deployment method I use (Portal or ARM template) to deploy an Azure VM in my Azure subscription, I always get two additional VM installed by default. I have no intention of using OMS or Security Center for certain workloads I run on Azure but having these two extensions hanging in a VM looked weird to me. The reason is I never installed them in the first place.
As you can see in the below image MicrosoftMonitoringAgent & Monitoring VM extensions are installed after a VM has been provisioned.
Security Center Data Collection from Azure VMs
When you enable the Azure Security Center for your sbscriptions in Azure, by default data collection is turned on. This setting provisions the Microsoft Monitoring Agent (which explains the auto installed extension) on all Azure VMs in the subscription/s and any new VMs that you create. The Microsoft Monitoring agent scans for security related configurations and posts them into Event Tracing for Windows (ETW) traces. Also any event logs raised by the guest OS will be read by the the Microsoft Monitoring Agent and will be posted back to OMS.
In case if you are using the free tier of the Microsoft Azure Security Center, data collection can be disabled in the Security Policy as below. Enabling data collection is required for any subscription that uses the Azure Security Center Standard tier.
Once I disabled the data collection I got rid of the OMS agent being that has been auto provisioned in my Azure VMs. Also note that event though the data collection has been turned off, VM disk snapshots and artifact collection will still be enabled. However Microsoft do recommend to enable the data collection regardless of the security center tier your subscription is on.
Microsoft has unveiled a new update rollup 8.0.11030.0 for the Microsoft Monitoring Agent (MMA) that has fixed issues in the previous version of MMA. The fixes in this version includes below.
- Improved logging for HTTP connection issues
- Fix for high CPU utilization when you’re reading a Windows event that has an invalid message description
- Support for Azure US Government cloud
How to get update rollup version 8.0.11030.0 for Microsoft Monitoring Agent (KB3206063)?
This package is available as a manual download in the Microsoft Update Catalog. You can search for Microsoft Monitoring Agent and list down the available updates will appear in the search results.
I have recently authored a whitepaper titled “Born in the Cloud: Monitoring Linux workloads with OMS” published by Savision. This whitepaper focuses on Linux workload monitoring capabilities of Microsoft OMS born-in-the-cloud management suite which is capable of managing and protecting heterogeneous on-premises, cloud and hybrid data centers.
Following are the key areas of discussion in my whitepaper.
- What Microsoft Operations Management Suite is and how it can simplify data center management.
- Leveraging OMS Log Analytics to analyze, predict and protect your Linux workloads.
- Integrating System Center Operations Manager with OMS for extended monitoring.
- Harnessing the power of Business Service Monitoring of Savision Live Maps Unity in Microsoft OMS.
You can download this FREE whitepaper from here.
Savision is the market leader in business service and cloud management solutions for Microsoft System Center. Savision’s monitoring and visualizing capabilities bridge the gap between IT and business by transforming IT data into predictive, actionable and relevant information about the entire cloud and datacenter infrastructure. You can visit www.savision.com for more information about their product portfolio.