Azure Monitoring Tools Explained – Part 11: Operations Management Suite (OMS)

In the first part of this series, we introduced the confusion and complexity that tends to occur when looking at the long list of monitoring tools available for Azure.

We then provided a list of currently available tools that we will explore further.

• Part 2: Activity Logs
• Part 3: Application Insights
• Part 4: Azure Advisor
• Part 5: Azure Alerts
• Part 6: Azure Diagnostics
• Part 7: Azure Metrics
• Part 8: Azure Monitor
• Part 9: Azure Security Center (ASC)
• Part 10: Network Watcher
• Part 11: Operations Management Suite (OMS)
• Part 12: Service Health
• Part 13: System Center Operation Manager (SCOM)
• Part 14: Summary

We’ve already discussed Azure Activity Logs, Application Insights, Azure Advisor,  Azure Alerts, Azure Diagnostics, Azure Metrics, Azure Monitor, Azure Security Center (ASC), and Network Watcher. The next tool on the list is Operations Management Suite (OMS). 

 

Operations Management Suite (OMS)

The Operations Management Suite (OMS) is also commonly referred to as “Log Analytics”. So if you see/read any references to Azure Log Analytics, it is referring to the same technology.

If you have been following along with this series, you will know that some of the solutions found in OMS, are now being brought into other monitoring services (i.e. Azure Monitor, Azure Security Center, Network Watcher).

Additionally, over the past little while, there have been many changes to OMS, including:

• Upgrade to a new Analytics Language
• Interfaces being merged into the Azure Portal experience
• Announcing the depreciation of the “classic” OMS portal

Basically, OMS is Microsoft’s hybrid IT management platform. It can monitoring resources, performance, collect logs, networking data, security information, etc. And, if you’ve read the Azure Monitor portion of this series, more and more is being merged into that all-encompassing service solution.

OMS – Experience Center

Also, something worth sharing is that OMS has different categories of offers. This is how some solutions are grouped. There are 4 primary categories, namely:

1. Insight & Analytics
2. Automation & Control
3. Security & Compliance
4. Protection & Recovery

OMS – Solution Offers

But you may notice how most of the existing OMS solutions do not necessarily fall within one of these categories. It can be a little confusing, but just keep in mind that most solutions are loosely grouped under the Insights & Analytics category. For a quick and easy reference, there is a table that Microsoft created to show what category, pricing tier, etc. a solution falls into. You can find that table here.

OMS – Solution Gallery Example

Here is the official documentation about What is Operations Management Suite (OMS)?

 

Real Word Example

The real-world example of using OMS is (in my opinion) obvious. It’s a monitoring and management platform. So this means you can monitor your systems, applications, networks, etc. You can track issues with performance, security, patching, and so forth.

But, in the interest of consistency for this series, we’ll look at a few common uses that many organizations are leveraging OMS for.

 

Patch Management

Now, most companies will already have a patch management solution; and in a lot of cases, that solution is System Center Configuration Manager (SCCM). And yes, SCCM can tell you what patches are missing in your environment.

But the experience in OMS is more visually appealing, AND, it also reports against Linux systems!

OMS – Update Management Dashboard

 

Security

Another real-world example is with Security. OMS has 2 solutions that fall under the Security & Compliance category; namely Security & Audit, and Antimalware Assessment.

The Security & Audit solution is very robust and contains elements for Identity & Access, Threat Intelligence, Baselining, Network Security, etc.

If you’ve followed along with this series, again, you’ll notice that some of these are starting to appear in other Azure services like Azure Security Center (ASC).

OMS – Security And Audit Dashboard

 

Change Tracking

How many times, when something breaks in your environment and you ask “what changed?”, you get the standard response: “Nothing”.

With OMS, and in particular the Automation & Control offering, you gain access to the Change Tracking solution. This solution really helps to drill into what’s changing in the environment.

So, in an investigation or troubleshooting scenario, you can very easily see what Files, Registry, Software, or Services have changed. But note that it also detects changes for Linux system via Daemons.

OMS – Change Tracking Dashboard

 

Assessment

The last example is the various Assessment solutions. Take note that there is more than one assessment solution, in fact, to-date there are 3.

• AD Assessment
• SQL Assessment
• SCOM Assessment

Note: There are other solutions with “assessment” in their title, but are a part of different OMS offers (like “Antimalware Assessment” or “Update Assessment”).

OMS – Assessment Solutions

But the other true “assessment” solutions, help you check your environment and workloads (i.e. Active Directory, SQL Server, System Center Operations Manager) against Microsoft and industry best practice; as a proactive spot-check.

OMS – SQL Assessment Dashboard

 

Conclusion

In conclusion, the Operations Management Suite (OMS) is (at this time) the current central hybrid monitoring and management platform. But, as we’ve seen throughout this series, and in particular in the Azure Monitor article, this is shifting.

All the functionality and power behind OMS is being folded into Azure Monitor and various other services, to unify the platform. This allows for deeper and richer integration across all resources and services in Azure, empowering for a better monitoring experience.

The next tool in our series will be the Service Health.

Using Azure Backup Logs in Azure Log Analytics (aka OMS)

If you’ve followed along with some of my previous posts (i.e. Azure Backup Now Has Reports or How-To Create Custom Azure Backup Reports Using the Data Model, then you should already have Azure Backup configured to send Log data to an Azure Storage account, and are using the PowerBI content pack for visualization of that data.

As was mentioned in the first referenced article, in addition to using an Azure Storage account, you can also send Azure Backup log data into Log Analytics (aka OMS).

Azure Backup Reports –
OMS Integration

Today we’re going to look at this data as it is presented in OMS, and work with it to create a custom OMS solution.

 

Integration

To start, you need to integrate the Azure Backup logs into an OMS Workspace. To do this, follow along with the introduction and Step 1 of my Azure Backup Now Has Reports article, and select the Send to Log Analytics option.

Azure Backup Reports –
OMS Integration

After the integration is complete, to confirm that data is being sent to OMS, use the following search query: AzureDiagnostics | where (Category == “AzureBackupReport”) 

Provided sufficient time has passed (Note: The recommended wait time is 24 hours) since you integrated the Backup Logs with Azure Log Analytics, you should see some results returned.

Azure Backup Reports –
OMS Integration –
Query Results

Important: Please note that all examples and queries are based on the new OMS query language. If your Workspace has not been upgraded yet, the provided queries will not work for you.

For further information on the new Azure Log Analytics query language, please see the official documentation found here.

 

Create a Custom OMS Solution

Now that we’ve verified that we have data available in OMS, we can start to create our own custom solution to monitor and visualize our backup jobs. We will be using the OMS View Designer to create this solution.

Note: We are creating a custom OMS solution using the available Log data, since the current OMS Azure Backup solution only works with ASM-based Vaults, and not the new ARM-based Recovery Services Vaults.

If and/or when Microsoft officially releases an updated OMS Backup solution, our custom solution may become obsolete, or need further customization based on our organization’s specific needs (which may or may not be satisfied through an official solution).

 

Overview Tile

If we’re creating a custom OMS solution, the first “view” is the Overview tile, and it will be the first thing we see in the OMS (and/or Azure) portal. So we need to think about what is the most important piece of information we need to be able to check easily and quickly first thing. The answer (in my mind) is the Backup Job Status since we would want to see if any backups failed overnight.

So, in our query editor, we can retrieve this information via the following query: AzureDiagnostics | where (Category == “AzureBackupReport”) | where (OperationName == “Job”) | summarize count() by JobStatus_s

And we can use that as our query in our overview tile.

Azure Backup Reports –
OMS Integration –
OverviewTile

 

Drill Down Views

Now that we have an overview tile that quickly and easily shows us job statuses, we want to be able to drill down into this, especially if there are any failed jobs.

Within the View Designer, we will add a View Dashboard to list the individual protected systems and their backup status.

In the list query I used the following: AzureDiagnostics | where Category == “AzureBackupReport” | where OperationName == “Job” | project ProtectedServerUniqueId_s, JobStatus_s 

Azure Backup Reports –
OMS Integration –
View Dashboard

You may notice that the Computer field isn’t quite useful. If you run the query in the Log Search, this is what the results look like:

Azure Backup Reports –
OMS Integration –
View Dashboard – Query

You see that the ProtectedServerUniqueId_s field contains the system name, but also includes the region, a GUID, etc. 

Using the new query language guide (specifically the String Operators), I found several methods for retrieving just the element I want in the view (i.e. the Computer Name); namely the Extract, and Split operators. Unfortunately, I have not had any success getting either of those to work with the View Designer. When I do, I will come back and update this article.

Just take note that you can create custom views based on retrieving the fields you want to visualize/list as part of the custom solution.

 

Conclusion

In conclusion, I hope this shows you what you can do with the Backup log data being integrated with OMS, as well as how you can create custom views. If you’re interested in creating custom dashboards and reports, then check out my complimentary article: How-To Create Custom Azure Backup Reports Using the Data Model.

Enhancing the OMS Security and Audit Solution

If you’re using Microsoft’s hybrid management toolset, called Operations Management Suite (OMS), and in particular the Security and Audit solution, then read on to discover potential ways to enhance the data this solution uses.

Note: The material and points for this article are adapted from the Exam Ref 70-744 Securing Windows Server 2016 book.

 

OMS Security and Audit Solution

Firstly, here is an overview of the Security and Audit solution from the Exam-Ref book mentioned above:

The Security and Audit solution uses information gathered from the Security Event log, the
Application Event log, and the Windows Firewall log to assess several different security conditions. The agents on the computers always send this log information directly to the OMS service, even when the computers are part of a System Center Operations Manager (SCOM) group.

Notice the wording: “The agents on the computers always send this log information directly to the OMS service, even when the computers are part of a System Center Operations Manager (SCOM) group.”

This means that your endpoints either need direct Internet access to the OMS services (or through a proxy), or you can deploy the OMS Gateway. Here are some reference articles on both of these approaches:

• Configure proxy and firewall settings in Log Analytics
• Connect computers and devices to OMS using the OMS Gateway

SCOM Management Server With OMS Gateway

Continuing our focus on the Security and Audit solution, we need to configure our servers to capture pertinent information to the Application, Security, and Windows Firewall logs.

 

Windows Security Event Log

Concerning the Windows Security Event log, the system’s auditing policy setting will affect what details are logged, and therefore also affects what OMS is able to read and react to.

If you’re not sure what to enable in your audit policy, Microsoft has a great starting point, found here: Microsoft’s Recommendations for Advanced Auditing Policy Settings.

These recommendations leverage the Security Compliance Manager tool and are applicable to both Client Operating Systems (like Windows 7 and Windows 8), and Server Operating Systems (Windows Server 2008 and above).

It also lists what the Windows Default settings are, along with providing a Baseline recommendation, and a more aggressive recommendation.

 

Application Event Log

To get the most from the Application Event Log, we need to configure our servers to log information about executable files, install scripts, and packages that are used.

You can do this by configuring the AppLocker policy settings; by browsing to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Settings > AppLocker.

Application Control Settings – App Locker.

If you right-click on AppLocker and open the Properties, on the Enforcement tab, select the Configured checkbox and the Audit Only setting for all of the policies.

AppLocker Properties

You should also create a Rule for each of the types listed (Executable Rules, Windows Installer Rules, Script Rules, and Packaged App Rules).

When you create the Rule, keep the default settings, but choose the ‘Path’ option for the primary condition.

AppLocker – New Rule – Conditions

And for the Path value, use an asterisk (*) as a wildcard.

AppLocker – New Rule – Conditions – Path

Finally, you should set the Application Identity service to start automatically. You can find this setting by browsing to Computer Configuration > Policies > Windows Settings > Security Settings > System Services.

Application Identity Service Setting

 

Windows Firewall

Now onto the Windows Firewall settings. By default, the Windows Firewall does not log any of its activities, so you must enable its logging.

To do this, browse to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.

Right-click on the Windows Firewall with Advanced Security policy and open the Properties.

For each of the profiles (Domain, Private, Public), click on the Customize button under Logging, and in the Customize Logging Settings dialog, use these settings:

• Size limit (KB): 100
• Logged dropped packets: Yes
• Log successful connections: Yes

Customize Logging Settings for Windows Firewall

 

Wrap Up

Most organizations will have their own security policies and settings, however, some of the listed suggestions and recommendations may be new to you.

It is recommended that you implement these in a non-Production environment, in order to evaluate the applicability to your specific environment, and to avoid any unexpected affects.