Azure Monitor Agent overview
Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services such as Microsoft Sentinel and Microsoft Defender for Cloud. This article provides an overview of Azure Monitor Agent's capabilities and supported use cases.
Note
Azure Monitor Agent replaces the legacy Log Analytics agent for Azure Monitor. The Log Analytics agent has been deprecated and has no support as of August 31, 2024. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate now to the new Azure Monitor agent.
Installation
The Azure Monitor agent is one method of data collection for Azure Monitor. It's installed on virtual machines running in Azure, in other clouds, or on-premises where it has access to local logs and performance data. Without the agent, you could only collect data from the host machine since you would have no access to the client operating system and running processes.
The agent can be installed using different methods as described in Install and manage Azure Monitor Agent. You can install the agent on a single machine or at scale using Azure Policy or other tools. In some cases, the agent will be automatically installed when you enable a feature that requires it, such as Microsoft Sentinel.
Data collection
All data collected by the Azure Monitor agent is done with a data collection rule (DCR) where you define the following:
- Data type being collected.
- Transforming the data, including filtering, aggregating, and shaping.
- Destination for collected data.
A single DCR can contain multiple data sources of different types. Depending on your requirements, you can choose whether to include several data sources in a few DCRs or create separate DCRs for each data source. This allows you to centrally define the logic for different data collection scenarios and apply them to different sets of machines. See Best practices for data collection rule creation and management in Azure Monitor for recommendations on how to organize your DCRs.
The DCR is applied to a particular agent by creating a data collection rule association (DCRA) between the DCR and the agent. One DCR can be associated with multiple agents, and each agent can be associated with multiple DCRs. When an agent is installed, it connects to Azure Monitor to retrieve any DCRs that are associated with it. The agent periodically checks back with Azure Monitor to determine if there are any changes to existing DCRs or associations with new ones.
Costs
There's no cost for the Azure Monitor Agent, but you might incur charges for the data ingested and stored. For information on Log Analytics data collection and retention and for customer metrics, see Azure Monitor Logs cost calculations and options and Analyze usage in a Log Analytics workspace.
Supported services and features
The following tables identify the different environments and features that are currently supported by Azure Monitor agent in addition to those supported by the legacy agent. This information will assist you in determining whether Azure Monitor agent can support your current requirements. See Migrate to Azure Monitor Agent from Log Analytics agent for guidance on migrating specific features.
Windows agents
| Category | Area | Azure Monitor Agent | Legacy Agent |
|---|---|---|---|
| Environments supported | |||
| Azure | ✓ | ✓ | |
| Other cloud (Azure Arc) | ✓ | ✓ | |
| On-premises (Azure Arc) | ✓ | ✓ | |
| Windows Client OS | ✓ | ||
| Data collected | |||
| Event Logs | ✓ | ✓ | |
| Performance | ✓ | ✓ | |
| File based logs | ✓ | ✓ | |
| IIS logs | ✓ | ✓ | |
| Data sent to | |||
| Azure Monitor Logs | ✓ | ✓ | |
| Services and features supported | |||
| Microsoft Sentinel | ✓ (View scope) | ✓ | |
| VM Insights | ✓ | ✓ | |
| Microsoft Defender for Cloud - Only uses MDE agent | |||
| Automation Update Management - Moved to Azure Update Manager | ✓ | ✓ | |
| Azure Stack HCI | ✓ | ||
| Update Manager - no longer uses agents | |||
| Change Tracking | ✓ | ✓ | |
| SQL Best Practices Assessment | ✓ |
Linux agents
| Category | Area | Azure Monitor Agent | Legacy Agent |
|---|---|---|---|
| Environments supported | |||
| Azure | ✓ | ✓ | |
| Other cloud (Azure Arc) | ✓ | ✓ | |
| On-premises (Azure Arc) | ✓ | ✓ | |
| Data collected | |||
| Syslog | ✓ | ✓ | |
| Performance | ✓ | ✓ | |
| File based logs | ✓ | ||
| Data sent to | |||
| Azure Monitor Logs | ✓ | ✓ | |
| Services and features supported | |||
| Microsoft Sentinel | ✓ (View scope) | ✓ | |
| VM Insights | ✓ | ✓ | |
| Microsoft Defender for Cloud - Only use MDE agent | |||
| Automation Update Management - Moved to Azure Update Manager | ✓ | ✓ | |
| Update Manager - no longer uses agents | |||
| Change Tracking | ✓ | ✓ |
Supported data sources
See Collect data with Azure Monitor Agent for a list of the data sources that can be collected by the Azure Monitor Agent and details on how to configure each.
Next steps
- Install the Azure Monitor Agent on Windows and Linux virtual machines.
- Create a data collection rule to collect data from the agent and send it to Azure Monitor.