Log Analytics agent data sources in Azure Monitor
The data that Azure Monitor collects from virtual machines with the legacy Log Analytics agent is defined by the data sources that you configure in the Log Analytics workspace. Each data source creates records of a particular type. Each type has its own set of properties.
Important
The legacy Log Analytics agent is deprecated as of August 31, 2024. Azure will no longer provide any support for the Log Analytics agent. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate now to Azure Monitor agent.
Important
The data sources described in this article apply only to virtual machines running the Log Analytics agent.
Summary of data sources
The following table lists the agent data sources that are currently available with the Log Analytics agent. Each agent data source links to an article that provides information for that data source. It also provides information on their method and frequency of collection.
Data source | Platform | Log Analytics agent | Operations Manager agent | Azure Storage | Operations Manager required? | Operations Manager agent data sent via management group | Collection frequency |
---|---|---|---|---|---|---|---|
Custom logs | Windows | • | On arrival. | ||||
Custom logs | Linux | • | On arrival. | ||||
IIS logs | Windows | • | • | • | Depends on the Log File Rollover setting. | ||
Performance counters | Windows | • | • | As scheduled, minimum of 10 seconds. | |||
Performance counters | Linux | • | As scheduled, minimum of 10 seconds. | ||||
Syslog | Linux | • | From Azure Storage is 10 minutes. From agent is on arrival. | ||||
Windows Event logs | Windows | • | • | • | • | On arrival. |
Configure data sources
To configure data sources for Log Analytics agents, go to the Log Analytics workspaces menu in the Azure portal and select a workspace. Select Legacy agents management. Select the tab for the data source you want to configure. Use the links in the preceding table to access documentation for each data source and information on their configuration.
Any configuration is delivered to all agents connected to that workspace. You can't exclude any connected agents from this configuration.
Data collection
Data source configurations are delivered to agents that are directly connected to Azure Monitor within a few minutes. The specified data is collected from the agent and delivered directly to Azure Monitor at intervals specific to each data source. See the documentation for each data source for these specifics.
If the agent is unable to connect to Azure Monitor , it will continue to collect data that it will deliver when it establishes a connection. Data can be lost if the amount of data reaches the maximum cache size for the client, or if the agent can't establish a connection within 24 hours.
Log records
All log data collected by Azure Monitor is stored in the workspace as records. Records collected by different data sources will have their own set of properties and be identified by their Type property. See the documentation for each data source and solution for details on each record type.
Next steps
- Learn about monitoring solutions that add functionality to Azure Monitor and also collect data into the workspace.
- Learn about log queries to analyze the data collected from data sources and monitoring solutions.
- Configure alerts to proactively notify you of critical data collected from data sources and monitoring solutions.