Join Log in
Score:0
avatar Server

"Multihoming" of Windows VM in multiple Log Analytics workspaces with Azure Automation Update Management enabled in one?

cn flag
sebastian87

I am currently facing an issue. I am having a situation where I want to have an Azure Windows VM onboarded in Azure Update Management with an Automation Account. How it works - from my understanding - is, that 2 extensions are installed on the VM: Log Analytics Agent and hybrid worker runtime. The LA-agent is then connected to an LogAnalytics workspace, that is connected to an Automation account. Fine.

Now the issue: how can I onboard the VM to a second LogAnalytics workspace for e.g. onboarding it to Azure Sentinel or - in my case - making a second person able to monitor and alert on the VM. From my understanding, it is not possible to connect the LogAnalyticsAgent to two workspaces.

Questions:

  • Is really the Log Analytics Agent istalled on the VM or the newer Azure Monitor Agent?
  • Did somebody manage to get such a scenario working or has documentation/information how it works?

Details:

What I found is this statement, but it is not "clear", what it means: " Having a machine registered for Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't supported. "

https://docs.microsoft.com/en-us/azure/automation/update-management/plan-deployment#step-4---log-analytics-agent

Plus this GitHub discussion:

https://github.com/MicrosoftDocs/azure-docs/issues/85849

Cheers

284
0 + 0
ng flag
Sam Cogan
What do you mean by "making a second person able to monitor and alert on the VM"? You can allow multiple people to access a log analytics workspace and create there own alerts, there is no need to use a second workspace for this.
0
Reply
cn flag
sebastian87
That is true. But we have a shared model with "basic operations". That means a central ops team takes care, that the cloud resources are compliant to a baseline (which includes supervised update management) but at the same time app-specific teams/developers should be able to access logs of their machines. And only "their" machines and not the central hub LAW, where all machines report logs for Update Management. As I mentioned: second scenario is onboarding to Azure Sentinel. Which also needs a LAW...
0
Reply
Score:0
avatar Server
cn flag
sebastian87

I got it solved. The documentation really is not clear at this moment. I found the solution here: https://azsec.azurewebsites.net/2021/01/18/multi-homing-logging-with-new-azure-monitor-agent/

The twist is: it is not possible to configure it directly on the VM. You have to use Azure Monitor to define the Data Collection Rule (or use Terraform and the like). With this method, each VM seems to be able sending logs and metrics to four different Log Analytics workspaces.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.