Tutorial: Enable telemetry and monitoring for your Azure Linux with OS Guard (preview) cluster

Note

Azure Linux with OS Guard (preview) is being replaced by Azure Container Linux (ACL).

Azure Container Linux is the long‑term, immutable, container‑optimized Linux operating system (OS) for Azure Kubernetes Service (AKS). It provides a secure, minimal, and operationally consistent host OS designed to run containerized workloads at scale.

For more information, see the Azure Container Linux (ACL) overview.

In this tutorial, part four of five, you learn how to:

Enable Container Insights to monitor your existing cluster.
Verify the agent is deployed successfully.
Verify the solution is enabled.

In the next tutorial, you learn how to upgrade your Azure Linux nodes.

Prerequisites

In previous tutorials, you created and deployed an Azure Linux with OS Guard cluster. To complete this tutorial, you need an existing cluster. If you haven't completed this step and want to follow along, start with Tutorial 1: Create a cluster with Azure Linux with OS Guard for AKS.
If you're connecting an existing AKS cluster to a Log Analytics workspace in another subscription, you need to register the Microsoft.ContainerService resource provider in the subscription with the Log Analytics workspace. For more information, see Register resource provider.
You need the latest version of Azure CLI. Use the az version command to find the version. To upgrade to the latest version, use the az upgrade command.

Azure Linux with OS Guard considerations and limitations

Before you begin, review the following considerations and limitations for Azure Linux with OS Guard (preview):

Kubernetes version 1.32.0 or higher is required for Azure Linux with OS Guard.
All Azure Linux with OS Guard images have Federal Information Process Standard (FIPS) and Trusted Launch enabled.
Azure CLI and ARM templates are the only supported deployment methods for Azure Linux with OS Guard on AKS in preview. PowerShell and Terraform aren't supported.
NodeImage and None are the only supported operating system (OS) upgrade channels for Azure Linux with OS Guard on AKS. Unmanaged and SecurityPatch are incompatible with Azure Linux with OS Guard due to the immutable /usr directory.
Artifact Streaming isn't supported.
Pod Sandboxing isn't supported.
Confidential Virtual Machines (CVMs) aren't supported.
Gen 1 virtual machines (VMs) aren't supported.

Connect to your cluster

Before enabling monitoring, it's important to ensure you're connected to the correct cluster. Get the credentials for your Azure Linux with OS Guard cluster and configure kubectl to use them using the az aks get-credentials command.

az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME

Enable monitoring

You can enable monitoring for your Azure Linux with OS Guard cluster using a default Log Analytics workspace or by specifying a Log Analytics workspace. The following steps show you how to enable monitoring for your cluster using either method.

Option 1: Use a default Log Analytics workspace

Use the following commands to check if the monitoring add-on is already enabled for your cluster. If it isn't, the command enables monitoring for your Azure Linux with OS Guard cluster using a default Log Analytics workspace in the default resource group of the AKS cluster subscription. If one doesn't already exist in the region, the default workspace created resembles the following format: DefaultWorkspace-< GUID >-< Region >.

# Check if monitoring addon is already enabled
MONITORING_ENABLED=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "addonProfiles.omsagent.enabled" -o tsv)

if [ "$MONITORING_ENABLED" != "true" ]; then
  az aks enable-addons --addons monitoring --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP
fi

Option 2: Specify a Log Analytics workspace

You can specify a Log Analytics workspace to enable monitoring of your Azure Linux with OS Guard cluster. The resource ID of the workspace is in the following format: "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.OperationalInsights/workspaces/<workspace-name>".

az aks enable-addons --addons monitoring --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --workspace-resource-id <workspace-resource-id>

Verify agent and solution deployment

Verify the agent is deployed successfully using the following command:

kubectl get ds ama-logs --namespace=kube-system

Example output:

NAME       DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
ama-logs   3         3         3       3            3           <none>          3m22s

Verify deployment of the solution using the following command:

kubectl get deployment ama-logs-rs -n=kube-system

Example output:

NAME           DESIRED   CURRENT   UP-TO-DATE   AVAILABLE    AGE
ama-logs-rs    1         1         1            1            3h

Verify solution configuration

Get the configuration of the solution using the az aks show command. With this command, you can check if the solution is enabled, what the Log Analytics workspace resource ID is, and get summary information about the cluster.

az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "addonProfiles.omsagent"

After a few minutes, the command completes and returns JSON-formatted information about the solution. The results of the command should show the monitoring add-on profile and resemble the following example output:

{
  "config": {
    "logAnalyticsWorkspaceResourceID": "/subscriptions/xxxxx/resourceGroups/xxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxx"
  },
  "enabled": true
}

Next step

In this tutorial, you enabled telemetry and monitoring for your Azure Linux with OS Guard cluster. In the next tutorial, you learn how to upgrade your Azure Linux with OS Guard nodes.

Upgrade Azure Linux with OS Guard nodes

Last updated on 2026-06-11