Deployment options for Azure Monitor agent on Azure Arc-enabled servers
Azure Monitor supports multiple methods to install the Azure Monitor agent and connect your machine or server registered with Azure Arc-enabled servers to the service. Azure Arc-enabled servers support the Azure VM extension framework, which provides post-deployment configuration and automation tasks, enabling you to simplify management of your hybrid machines like you can with Azure VMs.
The Azure Monitor agent is required if you want to:
- Analyze and alert using Azure Monitor
- Perform security monitoring in Azure by using Microsoft Defender for Cloud or Microsoft Sentinel
Note
Azure Monitor agent logs are stored locally and are updated after temporary disconnection of an Arc-enabled machine.
This article reviews the deployment methods for the Azure Monitor agent VM extension, across multiple production physical servers or virtual machines in your environment, to help you determine which works best for your organization. If you are interested in the new Azure Monitor agent and want to see a detailed comparison, see Azure Monitor agents overview.
Installation options
Review the different methods to install the VM extension using one method or a combination and determine which one works best for your scenario.
Use Azure Arc-enabled servers
This method supports managing the installation, management, and removal of VM extensions (including the Azure Monitor agent) from the Azure portal, using PowerShell, the Azure CLI, or with an Azure Resource Manager (ARM) template.
Advantages
- Can be useful for testing purposes
- Useful if you have a few machines to manage
Disadvantages
- Limited automation when using an Azure Resource Manager template
- Can only focus on a single Arc-enabled server, and not multiple instances
- Only supports specifying a single workspace to report to; requires using PowerShell or the Azure CLI to configure the Log Analytics Windows agent VM extension to report to up to four workspaces
- Doesn't support deploying the Dependency agent from the portal; you can only use PowerShell, the Azure CLI, or ARM template
Use Azure Policy
Azure Policy includes several prebuilt definitions related to Azure Monitor. For a complete list of the built-in policies in the Monitoring category, see Azure Policy built-in definitions for Azure Monitor.
Advantages
- Reinstalls the VM extension if removed (after policy evaluation)
- Identifies and installs the VM extension when a new Azure Arc-enabled server is registered with Azure
Disadvantages
- The Configure operating system Arc-enabled machines to run Azure Monitor Agent policy only installs the Azure Monitor agent extension and configures the agent to report to a specified Log Analytics workspace.
- Standard compliance evaluation cycle is once every 24 hours. An evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure PowerShell, a call to the REST API, or by using the Azure Policy Compliance Scan GitHub Action. For more information, see Evaluation triggers.
Use Azure Automation
The process automation operating environment in Azure Automation and its support for PowerShell and Python runbooks can help you automate the deployment of the Azure Monitor agent VM extension at scale to machines in your environment.
Advantages
- Can use a scripted method to automate its deployment and configuration using scripting languages you're familiar with
- Runs on a schedule that you define and control
- Authenticate securely to Arc-enabled servers from the Automation account using a managed identity
Disadvantages
- Requires an Azure Automation account
- Experience authoring and managing runbooks in Azure Automation
- Must create a runbook based on PowerShell or Python, depending on the target operating system
Use Azure portal
The Azure Monitor agent VM extension can be installed using the Azure portal. See Automatic extension upgrade for Azure Arc-enabled servers for more information about installing extensions from the Azure portal.
Advantages
- Point and click directly from Azure portal
- Useful for testing with small set of servers
- Immediate deployment of extension
Disadvantages
- Not scalable to many servers
- Limited automation
Next steps
- To start collecting security-related events with Microsoft Sentinel, see onboard to Microsoft Sentinel.