Logging for virtual machines - Azure Tutorial

- [Instructor] Logging and monitoring is slightly different for virtual machines than it is for other Azure resources, mainly because there are OS logs that you may want to capture along with performance metrics. To spot these additional options we must install a different set of agents on the VMs themselves. And depending on what you want to capture will depend what agent will be required. To see an example of this I've built a couple of virtual machines here. One is a Windows virtual machine and another is a Linux. And I'm going to go to my Windows virtual machine first and I'm going to have a look at metrics. So the metrics are the default performance information gets captured without you needing to do anything. However, not that it comes from the actual virtual machine host so that means it's coming from the actual, the physical host that's running this in the data center rather than the VM itself. And if we go and look at this we can see that it's capturing these basic metrics to show that we can see some activity. These metrics generally only get safe around 90 days and there's not a huge amount you can do with them. They're generally more for real-time information such as this. If we want to collect more detail logs and have more control how long they're stored for with a couple of different options. So the first is the guest level monitoring. So if we go to the diagnostic settings like we would do for a normal Azure resource we can enable guest level monitoring here. Now as we can see, it's asking for a storage account and that will send the monitoring to that storage account. Now this is quite old now and it's been replaced by a more up to date offering called VM Insights. So if you go to the VM Insights tab we can see here that nothing's actually happening and what we need to do is go and enable it. So we'll go and do that first. Actually, before we do that, what I do just want show you is in our VM setup, I want to show you the extensions tab here and we can see that there's no extensions. So extensions are agents that Azure installs for you on the VM itself. So if we go back to our insights and click enable the first thing he wants to do is he wants to tell it which log analytics workspace to send all the information to. By default it tries to create a new one. I'm going to go and choose an LA Workspace that I created earlier and then we're going to go and click enable. Now that can take a few minutes to do so while it's doing I'm going to go back to my virtual machines and now I'm going to go to the Linux VM and you'll see why I'm going to repeat this shortly. But the first thing I want to do again is go to the extensions and again, we have no extensions loaded. Then we're going to go to the insights and again we're just going to enable the insights. And again, we're just going to select my log analytics workspace that I've already created. Once those deployments finished we'll go to each server in turn. First let's pick the Windows VM. The first thing I want to show you is that if we go to the extensions tab we can now see that we've got two extensions installed. There's the Microsoft monitoring agent and the dependency agent for Windows. Let's also go and look at the Linux VM. And again, if we look at the extensions, again, we see that it's installed two agents. This time it's the OMS Agent for Linux and the Dependency Agent for Linux. Now if we scroll down and go back to our insights tab, sometimes it can take a while to view on this. Let's go to the Windows VM instead, go to the insights tab, and what it actually shows you is quite an interesting map of the VM itself. So first of all, you can see what processes are actually running on the VM itself and we can also see what the VM is talking to. So we can see it's on port 443. It's reaching out to these other service to talk to them. So we're getting quite a lot of metrics already. We can also go through different options on here. For example, if we go to log events we can see the different event types that it's capturing. And if we drill down through to one of these, said the VM processes, what it actually does is opens us up in a query of log analytics. Now we'll be looking at queries later, but this is basically showing the underlying information that it's collected from the virtual machine and stored in the log analytics workspace. What I want to do now is go and look at the log analytics workspace itself. So let's have a look at my old resources and it's the virtual machine LA Workspace. And the first thing I'll show you is if we scroll down we can see this virtual machines tab and we can see here it's telling us what virtual machines is installed on. So we can actually install it on other virtual machines here from this view. So if we had other virtual machines that it wasn't installed on we can actually click through and then click connect and that would also go and deploy the agent. We can also deploy agents automatically using automation tools such as policy and so on. If you've got virtual machines on premises you can actually install the agent yourself so that you can monitor your on-premise machines or even virtual machines and in the cloud vendors, such as AWS or GCP. And to do that, we've got the agent management tab here and you can download the agent to install. And when you go and install the agent on a VM manual it'll ask you for the workspace ID and a primary key, which we get from here. So that's just useful to know, especially for the exam to know that you can actually install this on-prem VMs. So we also mentioned that we can capture OS event logs. Now that's not done by default. And to do that what we do is go to the agent's configuration here and we actually tell it what logs we want to capture. So if we click add windows event log we can choose all the different event logs that you would normally see within a host itself. So I'm going to pick the system log and we can see we've got errors, warnings, and information so we can get quite granular. And we're also going to capture the application logs. Similar we can capture specific Windows performance counters and let's just delete that. For Linux machines we can add syslog logs. So for example, we could go and do syslog. Once we're happy with all the logs we want to capture we just go ahead and click apply. Now interestingly, an important part of this is that we are configuring this within the workspace itself. So what that means is that any virtual machine that is configured to use this workspace will automatically get these logs starting to get picked up now. So we don't have to go to each individual VM and then configure them individual there. We just do it here from the central workspace. Now it can take a while for the logs to go through, but when they are working we can view them by going in in our log analytics workspace. Going to this logs for you here. I'm just going to close down those examples. And the logs are basically just event. Again, we'll go into a bit more detail how we use this in the next lecture. But for now, if we just went to event and run what that would do is go and query all the events that have been captured from our VMs and show them. Now, as I said, it can take a while for them to actually start ingesting do logs, which is why we're not seeing any here. Before we leave VM logging we need to be aware that Microsoft are actually introducing a new service called Data Collection Rules. Now this is actually just another way to capture VM logs, but currently it's in preview. However, it is slightly different how we set it up and configure it. So what I want to do here is go to the top left burger here and I'm actually going to go to the Azure Monitor view. Now we can see all the different things that it's monitoring in here. Again, if we look at virtual machines we can see the virtual machines that we can monitor. And I'm going to go and say data collection rules. So what we can do is we can create a data collection rule and this is actually an object in Azure. So that means we have to assign it to a resource group and tell it to where to install. Next we tell it what resources we want to collect. So I'm going to say add resources. Now I can add, select all virtual machines in a resource group or individual virtual machines. Notice that the Linux VM is not showing up here at the moment, it's only supporting Windows VMs, but I'm going to go and select that VM. Next we say collect and drive. And what we say is we add a dead source. So this is similar to what we were doing earlier where we could pick the different logs we want to capture. So I'm going to again go to Windows event logs. And again, we can tell it which ones to capture. Notice it's a bit more user-friendly this one. Before we show all the different kinds of logs you can capture, these are the ones you were probably more used to seeing within an OS. Next we set the destination, which in our case is defaulting to our LA Workspace, which is fine. And we just click add data source. I forgot to add a rule name. And then click create. So again, what that's going to do is set up a data collection rule, which is another way to collect the logs. Now that's set up, I just want to show you one last thing. If I go to the Windows VM and go to our extensions we can now see we've got an additional agent, which is the Azure Monitor Windows Agent. So this is the new agent that gets used for those data collection rules to work. So as you can see capturing VM information is a little bit more involved. However, it does allow us to capture in a single place, everything from performance metrics to OS logs, and then start creating some very powerful queries across them to get lots of information.