Insight &

Any cloud

Analytics
Deep Dive

Any platform
L300
Operational excellence
with Insight & Analytics
 Fast
Simple and Gain
troubleshoot
unified immediate
and auto
experience insight
remediate
Simple and unified experience
Challenges

Individual
monitoring
Platform and
Application
monitoring tool

Network
monitoring tool Individual
monitoring

Security
analysis tool

Individual
monitoring
On premises Application data
datacenter
Platform data

Network data

Security data
Individual Hosters
monitoring
Simple and unified experience
Solution

Individual
monitoring
Platform and
Platform and
Application
monitoring tool Application IT
monitoring Operational
Network excellence
monitoring tool Individual
monitoring

Security
analysis tool

Individual
Application data Security Network monitoring

Platform data analysis monitoring

Network data

Security data
Individual Hosters
monitoring
Simple and unified experience UNIFIED
EXPERIENCE
Expand your enterprise management with a consistent experience

Single platform for Leverage existing Access anywhere with a

overall management management platform consistent user experience

• Single pane of control • Integrate with existing systems • Control from anywhere
• Unified experience • Connect with isolated resources • Consistent user interface
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Single platform for

overall management
Single pane of control for log Unified experience to manage your
analytics, automation, back up, resources in public, private cloud as
site recovery and security well as traditional datacenters
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Windows agents
• Log Analytics
SCOM
• Automation
• Site Recovery
Linux / FluentD • Backup

REST Collection API Operations Management Suite

Sample list of log/metrics that

OMS collects:
SaaS services • Custom Application/Infra logs
• Windows event logs
O365
• Window performance counters
• Security Event Logs
Azure Storage / • IIS Logs
Azure Diagnostics • ETW logs
Event Hub Log Stash • Azure Diagnostics
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Windows agents

Operations Management Suite

Connect to Windows computers in your on-premises infrastructure directly to OMS workspaces by using a
customized version of the Microsoft Monitoring Agent (MMA).

https://azure.microsoft.com/en-us/documentation/articles/log-analytics-windows-agents/
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

SCOM

Operations Management Suite

Integrate Operations Manager with your OMS workspace to:

• Continue monitoring the health of your IT services with Operations Manager
• Maintain integration with your ITSM solutions supporting incident and problem management
• Manage the lifecycle of agents deployed to on-premises and public cloud IaaS virtual machines that you monitor
with Operations Manager
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Linux / FluentD

Operations Management Suite

Collect and act on data generated from Linux computers. Adding data collected from Linux to OMS allows you to
manage Linux systems and container solutions like Docker regardless of where your computers are located—virtually
anywhere.

Upload data
(HTTPS)
syslog

Firewall/proxy
Nagios
OMS Service

Zabbix

Providers
Docker
Pull configuration
(https)
Linux Computer
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Linux / FluentD

Operations Management Suite

Supported Linux platform

6.x 32/64-bit 5.x 32/64-bit

7.x 32/64-bit 6.x 32/64-bit
8.x 32/64-bit 7.x 64-bit

5.x 32/64-bit
2013.09 – 2015.09 6.x 32/64-bit
7.x 64-bit
12.x 32/64-bit alpha
14.x 32/64-bit beta
15.x 32/64-bit stable
16.x 32/64-bit
10.x 32/64-bit
5.x 32/64-bit
11.x 32/64-bit
6.x 32/64-bit
12.x 64-bit
7.x 64-bit
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

REST Collection API

Operations Management Suite

Leverage REST collection API to ingest custom data to Operations Management Suite

API
Log Search API
Ensure json is flattened and not nested • Create, manage and run searches

$json = @" Alert API

[{ "slot_ID“ : 12345, • Create and manage alerts
"ID“ : "5cdad72f-c848-4df0-8aaa-ffe033e75d57",
Powershell
"availability_Value": 100,
"measurement_Name“ : "last_one_hour", Log Analytics cmdlets
"duration“ : 3600,
"ExecutionTime“ : "2016-05-12T20:00:00.625Z" Nouns
}, • ComputerGroup
{ … }] • IntelligencePacks (solutions)
"@ • LinkTargets
• SavedSearch
• SavedSearchResults
• StorageInsights
• Workspace
• WorkspaceManagementGroups
• WorkspaceSharedKeys
• WorkspaceUsage
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Leverage existing
management platform
Do not rip and replace by Operations Management Suite
leveraging your management Gateway to connect with isolated
platform such as System Center, environment
Zabbix or Nagios
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Collect alerts from Operations Manager

To collect alerts from
Operations Manager, you will
need to

1. On the Operations
Management Suite
Onboarding Wizard:
associate with your OMS
subscription

2. If you have more than

one workspace, select the
workspace you want to
register with the
Operations Manager
management group from
the drop-down list, and
then click Next.

https://azure.microsoft.com/en-us/documentation/articles/log-analytics-om-agents/
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Collect alerts from Nagios and Zabbix

To collect alerts from Nagios and

Zabbix, you will need to

1. Grant the user omsagent read

access to the Nagios log file

2. Modify the
omsagent.confconfiguration file
(/etc/opt/microsoft/omsagent/conf
/omsagent.conf).

3. Restart the omsagent daemon

https://azure.microsoft.com/en-us/documentation/articles/log-analytics-linux-agents/
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Access anywhere with a

consistent user experience
Control from anywhere with iOS, Consistent user interface across
Android and Windows Phone. Operations Management Suite and
Azure services
Simple and Gain Fast
unified immediate troubleshoot
experience insight and auto
remediate
Gain immediate insight
Challenges

Business
Platform and owners?
Application
monitoring

Application
owners?

Security Network
analysis monitoring
Infrastructure
owners?
Gain immediate insight
Solution

Business
owners

Application
owners

Infrastructure
owners
Intelligence
Engine
Gain immediate insight UNIFIED

Provide an immediate insight for your hybrid environment based EXPERIENCE

on trusted sources.

Quick data Experienced sources Analyze petabytes of

collection of insight data from the cloud

• Automatic data collection • Single source of truth • Infrastructure free

• Custom log collection • Experienced and trusted insight • Business insight
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Quick data
collection
Automatic end point data selection Custom log collection including
and collection Windows and Linux
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Automatic data selection and collection

Log Analytics collects data from the Connected Sources in your OMS workspace and stores it in OMS
repository. The data that is collected from each is defined by the Data Sources that you configure.
Data in the OMS repository is stored as a set of records. Each data source creates records of a
particular type with each type having its own set of properties

https://azure.microsoft.com/en-us/documentation/articles/log-analytics-data-sources/
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Custom log collection

Logs data source in Log Analytics allows you to collect events from text files on both Windows and
Linux computers. Many applications log information to text files instead of standard logging services
such as Windows Event log or Syslog. Once collected, you can parse each record in the log into
individual fields using the Custom Fields feature of Log Analytics.

https://azure.microsoft.com/en-us/documentation/articles/log-analytics-data-sources-custom-logs/
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Gain immediate insight from containers

Containers are lightweight, pared-down virtual machines that can be easily provisioned, developers
have created them sporadically as a solution to support their continuous delivery. As containers are
being used widely in production and are exploding in numbers, demand for container monitoring
has increased. A centralized approach to logging and monitoring is required. OMS Container
Solution for Linux helps with these needs.

https://blogs.technet.microsoft.com/msoms/2016/08/24/announcing-public-preview-oms-container-solution-for-linux/
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Gain immediate insight from containers

With the OMS Container Solution, you’ll be able to:
• Centralize and correlate millions of logs from Docker containers at scale
• See real-time information about Container status, image, and affinity
• Quickly diagnose “noisy neighbor” containers that can cause problems on Container hosts
• Retrieve, visualize, and monitor CPU, memory, storage, and network usage with 10-second real-
time performance metrics
• View detailed and secure audit trail of all Docker actions on Container hosts

Two types of installation methods to support different operating system types, such as CoreOS.
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Experienced
sources of insight
Single source of truth, gathering Correlate and analyze through
data from public cloud, private Knowledge obtained by the trusted
cloud, traditional datacenters source such as product team, support
team, MSIT, Digital Crime Unit
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions
Log Analytics solutions are a collection of logic, visualization and data acquisition rules that provide
metrics pivoted around a particular problem area.

https://azure.microsoft.com/en-us/documentation/articles/log-analytics-add-solutions/
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions
Data collection details for OMS features and solutions

SCOM agent data sent

Data type Platform Direct Agent SCOM agent Azure Storage SCOM required? Collection frequency
via management group

AD Assessment Windows 7 days

AD Replication Status Windows 5 days

Alerts (Nagios) Linux on arrival

Alerts (Zabbix) Linux 1 minute

Alerts (Operations
Windows 3 minutes
Manager)

Antimalware Windows hourly

Capacity Management Windows hourly

Change Tracking Windows hourly

Change Tracking Linux hourly

ETW Windows 5 minutes

IIS Logs Windows 5 minutes

 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions
Data collection details for OMS features and solutions
SCOM agent data sent
Data type Platform Direct Agent SCOM agent Azure Storage SCOM required? Collection frequency
via management group

Key Vaults Windows 10 minutes

Network Application
Windows 10 minutes
Gateways
Network Security
Windows 10 minutes
Groups

Office 365 Windows on notification

Performance Counters Windows as scheduled, minimum of 10 seconds

Performance Counters Linux as scheduled, minimum of 10 seconds

Service Fabric Windows 5 minutes

SQL Assessment Windows 7 days

SurfaceHub Windows on arrival

from Azure storage: 10 minutes; from

Syslog Linux
agent: on arrival
at least 2 times per day and 15
System Updates Windows
minutes after installing an update
Windows security for Azure storage: 10 min; for the
Windows
event logs agent: on arrival

Windows firewall logs Windows on arrival

for Azure storage: 1 min; for the

Windows event logs Windows
agent: on arrival
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions: VMware Monitoring

Aggregate all the ESXi Host logs in any location to a centralized repository for insightful analysis and
monitoring. The solution consolidates and parses logs into a comprehensive dashboard which help
monitor, alert, and quickly analyze the ESXi Host and VM activities.

• Provide Visualization Dashboard

• Monitor Event, Warning, Failure
• Provides deep Log Analysis with
search and trending
VMware • Assist Alerting
ESXi Servers

SCSI/Disk
VM ESXi ESXi …
Status and
Activities Events Failure
Error
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions
Example of JSON for Solution document

{
"name":“MySolution",
"location":"eastus",
"properties": {
"sourceLink": {

"contentUrl":"http://mystorageaccount.blob.core.windows.net/templates/SolutionTemplate.json",
"solutionVersion":"1.0.0."
} "managedResources":[{
"key":"Microsoft.Automation/AutomationAccount",
"resourceGroupName":"rg1",
"templateLink": {
"uri": "http://mystorageaccount.blob.core.windows.net/templates/template.json",
"contentVersion": "1.0.0.0"
}, }, {
…
}], "referencedResources":[ {

"id":”resourceGroups/{rgName}/providers/Microsoft.Automation/automationAccount/{accountName}/
credentials/{credName}”,
}, { } }
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions ecosystem example: AWS monitoring

• What problem are you solving
• Enterprise customers want access to Azure and AWS monitoring information in one
place
• Is your solution specific to a technology or broadly applied
• Specific to AWS Cloudwatch (which gets data for all AWS resources)
• What lifecycle areas are you addressing
• Focus on monitoring
• Which OMS Services fit your needs
• Log Analytics initially
• Runbooks and alerts in phase 2
• Data read from Amazon Cloudwatch API
• Which specific artifacts will you compose
• Saved searches
• Views
• (custom data source via API – artifact is work-in-progress)
• Are you targeting Marketplace or Community (github)
• Publish to Github as open source to provide an example to partners
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions ecosystem example: AWS monitoring

 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions ecosystem example: AWS monitoring

Customers install a VM instance

C# binding

PS binding
Ingestion
AWS CW API OMS
API
Python binding

Ruby binding

JS
AWS
OMS
AWS I/P transfor
O/P
plugin m
plugin
plugin Java

OMS FluentD Agent

Enables testing of AWS value prop with preview

customers. * Requires customers to standup
Open source contribution credits infra to host the CW agent
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions ecosystem example: AWS monitoring

Simply Authorize AWS to send data to OMS (no infra)

Ingestio
AWS CW API OMS
n API

CW Azure Integration
Function Service

CW Azure
Automation

CW Lambda

GA architecture. * Straight connection from

Sweetspot - customers with <1000 servers one SaaS service to OMS
 UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Solutions ecosystem example: AWS monitoring

Simply authorize AWS to send data to OMS (no infra) – High Volume

Ingestio
AWS CW API OMS
n API

CW Integration
Web Service Service

GA architecture. * Straight connection from

Sweetspot - customers with >1000 servers one SaaS service to OMS
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Analyze petabytes of
data from the cloud
Infrastructure free, On the fly metrics PowerBI integration
management as a aggregation
service
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

View designer
Create visual tiles based on searches
Assemble tiles on a dashboard

View Designer editing Overview Tile to show custom service’s front-end custom events and performance data
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

View designer
Create visual tiles based on searches
Assemble tiles on a dashboard

Complete with metrics visualized in line charts, distributions of event levels for my service, and the amount of data getting
for both types of events. Each visualization can drill down into OMS Log search.
Simple and Gain Fast
unified immediate troubleshoot
experience insight and auto
remediate
Fast troubleshoot and auto remediate
Challenges

Platform and
Application
monitoring

Security Network
analysis monitoring

Too many Unclear with Manual

alerts remediation process
Fast troubleshoot and auto remediate
Solution

Platform and
Application
monitoring
Filter alerts Professional knowledge

Security Network Specific search alert Community based

analysis monitoring

Automated
Problem
process
solved
Fast troubleshoot and auto remediate UNIFIED
Solve issues as quickly as possible in an automated fashion to improve EXPERIENCE

your SLA

Identify root cause Community based Auto

with powerful search automation remediate

• Powerful search • Leverage PowerShell community for • Leverage automation from

automating via PowerShell based the cloud
• Alert notification
runbooks
• Connect existing alerts to
auto remediate
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Identify root cause

with powerful search
Powerful search Alert notification
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Alert management
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Alert management
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Alert management
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Alert management
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Alert management
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Alert management
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Community based
automation
Leverage PowerShell community for automating via PowerShell based runbooks
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Community based runbooks

Automate your task based on community gallery
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Auto remediate
Leverage automation Connect existing alerts
from the cloud to auto remediate
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Auto remediate based on alerts

Automate your task based on community gallery
UNIFIED EXPERIENCE

COLLECT AND INDEX DATA SEARCH AND INVESTIGATE CORRELATE AND ANALYZE VISUALIZE AND REPORT MONITOR AND ALERT

Auto remediate based on alerts

Setup alert rule to trigger automated task
What we’ve learned

Fast
Simple and Gain
troubleshoot
unified immediate
and auto
experience insight
remediate

• Single platform • Quick data collection • Identify root cause

• Leverage existing • Trusted insight • Community based
platforms • Petabytes of data automation
• Access anywhere • Auto remediate
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.