Azure Monitoring is an extremely powerful part of Azure. I 💘 how integrated it is with the platform. Especially with things like AppInsights. Are you using Azure Monitor as part of your day-to-day monitoring of your cloud resources?
Fantastic overview Dana, your presentation style is spot on. I'm not an "Ops guy" but in these times of digital transformation you really do need to have at least a basic idea of all aspects of the systems we're creating.
I appriciate this as a Microsoft Certified trainer and Azure architect...good job and you are third person which youtube channel I have subscribed in my life.... keep rocking
Most people don't turn it on and might be a real shame but it costs money and this is what scares them. It is constantly running in the background accumulating logs and spread that across your estate for a long time all adds up. It can also be confusing for the novice. Combine logs in the same workspace or deleting etc can make people nervous. Add a zero which is the default means stuff is never deleted unless you delete it yourself manually. I think all these things combined means it is not utilized. I can see the reasons. There is no tidy up tool in Azure either to help identify what can safely be removed. I mean why should there be? It simply does not work in the favour of Microsoft. They're in the biz to make money so if you don't know your stuff, it will cost you and sometimes heavily. When you get something like VMware you pay for everything up front so it does not matter so much. Anyway, that's my two cents. Nice summary though on the tech but its not always as simple as people make out.
Some simple examples would have been useful. e.g. create an alert if a VM has stopped because a user showdown rather than sign out, or the disk capacity has exceeded 70%. I started down this route, but became confused by the requirement to setup a separate account and other pre-requirements... not explained in other videos🙈
Azure Monitor installs an agent that can be used for central collection and reporting. The OMS agent has built in SNMP monitoring. Eventually it all ends up in Log Analytics for you to use. In fact, now Azure Sentinel will suck in the critical security traps and report on that for you (if configured).
Are you separating environments by subscription? I normally have dev/staging and prod pipelines each deploying to different subscriptions for testing and production.
You mention some things that if I'm understanding correctly, I didn't know about. From what you're saying, could I potentially ingest logs from VM's and create graphs similar to logstash and graphana? I have the need to measure things like NPS RADIUS auth's and deny spikes and think this might be an awesome and fun fit. Sound like a fitting use?
Michael Zimmerer Yep. That’s the idea. A good starting point would be to ingest the event log data in your VM and get it into Azure Monitor. This might be a way forward: docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
Once you get the VM events in Azure Monitor and it’s sitting in Log Analytics you can then build the dashboards you give graphs a data cards: docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-logs-dashboards
@@MichaelZimmerer Have you configured NPS to write out audit success and audit failure messages to the security log? If so, you can get the data into Log Analytics. Start by configuring advanced auditing on the Windows server running NPS: ie: auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable Depending on the server edition, you may need to set the advanced GPO. A quick Google search found this blog post on how to setup the NPS GPO to deal with this when the above doesn't work: www.mikenowak.org/nps-authentication-events-not-showing-event-log/ Once you have that setup right to push NPS events to the security log, then event id 6272 represents success, and 6273 is failure. There are a few other event ids to account for if you use health policies. See: docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server Once you have that, the monitoring agent will then bring those events right into the SecurityEvents table in Log Analytics. I did an episode of #KnowOps showing you how to use Kusto Query Language (KQL) to query these exact type of events. You can see that episode at ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-DuWBLsgqhaI.html The query you want to find NPS logon failures would be something like: SecurityEvents | where TimeGenerated > ago(24h) | where EventId == 6273 | project TimeGenerated, Account, Computer, EventId, Activity Watch the episode for more info if KQL is still new to you. You could use aggregate and metric functions to then "render" charts however you need for your dashboard. HTH. Good luck.