How to Locate installed LA Agents and If On-prem or in Azure

Azure Sentinel 2 Minutes

My colleague, Sonia Cuff, recently posted a great article around How to find your Azure Log Analytics agent deployments in preparation for the Azure Monitor agent.

In the article, she presents a couple different ways to locate the Log Analytics agent including using PowerShell and the actual Log Analytics service console.

There’s also another way that I wanted to share – particularly for those die-hard KQL’ers like myself.

Here’s a KQL query that looks for live agents and reports where they are located:

//Queries the Heartbeat table to locate installed LA agents and if on-prem or in Azure

Heartbeat
| where TimeGenerated >= (90d)
| where Category == "Direct Agent"
| where isnotempty(ResourceType)
| extend Cloud = ResourceProvider == "Microsoft.Compute"
| extend Onprem = ResourceProvider == "Microsoft.HybridCompute"
| distinct Computer, ResourceType, Cloud, Onprem

The most up-to-date version of this query will always be in my own GitHub repo here: https://cda.ms/2NM. Additionally, you may also be interested in a query that shows those systems already using the AMA with Azure Arc: https://cda.ms/2NN.

I presented the KQL option to Sonia and she makes a valid point in that it relies on the computer having sent a heartbeat during that time range, so doesn’t include things like lab servers which may be shutdown. While that’s true, for our Azure Sentinel purposes, we should have at least 90 days worth of agent heartbeat information. I would think that even our lab servers should have sent a heartbeat in 90 days, but YMMV.

As you may or may not know, the Log Analytics agent will be retired in 2024. That seems like a long way off, but its really not. Preparing to use the new Azure Monitor Agent (AMA) is an important planning step for organizations over the next couple years. Make sure this is addressed in planning meetings this year.

I’m asked constantly for my recommendation on when to migrate to the new the AMA – particularly for Azure Sentinel environments since not every underlying service (and Sentinel itself) doesn’t quite support AMA’s full capability. As function parity between the LA agent and AMA gets closer, you will absolutely hear from me. I’ll be one of the first to start to raise the alarm. For now, just focus on where it makes sense and where the AMA capability is critical for your operation. We have a couple years to go, and I promise that as we get closer to the cutoff date, the issues customers raise about AMA deployment techniques and having to rely on the ARC agent alongside will be moot.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

[Subscribe to the Bi-Weekly Azure Security Center Newsletter]

Author

Published