The following information will show you how to get started with OMS by setting up a Log Analytics workspace. There are several ways to create a Log Analytics workspace:

• Create a workspace through the Microsoft OMS Overview page
• Create a Log Analytics workspace in the Azure portal
• Create and configure a Log Analytics workspace using Azure Resource Manager templates
• Create and configure a Log Analytics workspace using Log Analytics PowerShell cmdlets

This section will focus on creating a Log Analytics workspace and onboarding through the Azure portal.

To get started with OMS Log Analytics, you will need to make use of an Azure account. If you don't have an Azure account, you can create a free account, which will give you access to the Azure service. This free account will be available for 30 days.

We can start the on-boarding process using the following steps:

To create a free account, go through the following steps:

1. Navigate to https://azure.microsoft.com/en-us/free/?v=17.23h and follow the instructions to create your account. You will be able to make use of a work, school, or personal email account. You can also create a new Microsoft account that you can authenticate with Azure.
2. Sign in and follow the instructions to create an account.

Once you have access to the Azure service, you are ready to create your OMS Log Analytics workspace:

1. Navigate to the Azure Portal (http://portal.azure.com) and sign in.
2. In the Azure Portal, click the New button and type Log Analytics in the marketplace search field. Select Log Analytics:

3. Click the Create button and enter or select information for the following fields:

• • OMS Workspace: Enter a name for your workspace
  • Azure subscription: Select the Azure subscription that you would like to assign to your OMS Log Analytics workspace. You can change your OMS workspace Azure subscription at any time.
  • Resource group: You can choose to create a new resource group or use an existing one using the radio button. Select the existing resource group from the dropdown.
  • Location: Select the Azure region.
  • Pricing tier: Select a pricing tier that will govern the cost of your OMS Log Analytics workspace, and the solutions you use. You can choose from the following options:
    • Free
    • Per Node (OMS)
    • Per GB (Standalone)
    • Standard
    • Premium

4. Click OK to finish creating your workspace.

5. You can now filter for Log Analytics in the Azure portal to see your new OMS Log Analytics workspace.
6. Click on your Log Analytics workspace. You can now review the settings and features for your workspace:

After creating the Log Analytics workspace, you can add solution offerings and management solutions to your workspace. Management solutions are collections of logic, data collection, and visualization rules that provide you with information that is pertinent to a particular problem area. Solution offerings are bundles of management solutions.

To add solution offerings and solutions through the Azure portal, go through the following steps:

1. Navigate to the Azure portal and click the New button. Type the name of the solution you would like to add, such as Activity Log Analytics, into the marketplace search field and press Enter.

2. Select Activity Log Analytics in the Everything blade, and click Create:

3. In the Activity Log Analytics blade, select the workspace you would like to associate with the management solution and click Create:

4. Repeat the preceding steps to add additional service offerings and solutions to your workspace.

From the marketplace, follow steps 1-3 to add the Security & Compliance service offering to your workspace to get the Antimalware Assessment and Security and Audit solutions. Additionally, you can add the Automation & Control service to get the System Update Assessment, Change Tracking, and Automation Hybrid Worker solutions:

5. After adding solutions to your workspace, you can view the management solutions by navigating to Log Analytics, clicking on your workspace name, and, in the Workspace blade, selecting Overview under Management:

Once in the Overview page, you can see the solutions tiles for the solutions that you have added to workspace:

After adding solution offerings and solutions to your OMS workspace, you are now ready to connect sources to the workspace to start collecting some data. You can enable the VM extension to connect your Azure VMs to OMS Log Analytics:

1. Navigate to and sign in to the Azure portal.

2. Search for and navigate to Log Analytics and select your Log Analytics workspace
3. In the Log Analytics blade, select Virtual machines under Workspace Data Sources
4. Review the list of virtual machines and the OMS connection status for each virtual machine on which you would like to install the agent:

5. Select the virtual machine that you would like to install the agent on, and in the details blade for the VM, select Connect. This will automatically install and configure the agent for your Log Analytics workspace:

After the agent is installed and connected, the OMS connection status for your workspace will reflect this:

As mentioned earlier, you can directly connect Windows computers to your OMS Log Analytics workspace. To do this, you will need to download the agent setup file from the OMS portal or the Azure portal, install the agent, and configure it for your workspace:

1. Navigate to the Azure portal, select Log Analytics, and select your Log Analytics workspace
2. In the Log Analytics workspace blade, select Quick Start, and under Choose a data source to connect to the workspace, select Computers:

3. In the Direct Agent blade, click the Download Windows Agent that applies to your computer processor type to download the setup file
4. Save the setup file to your preferred directory

5. In the Workspace ID and Keys fields, copy the Workspace ID and Primary Key values to a Notepad for use during direct agent installation:

6. On the computer that you want to manage with OMS Log Analytics, run the setup file, and click Next on the Welcome page
7. On the License Terms page, read the terms and click I Agree

8. On the Destination Folder page, change or keep the default folder and click Next
9. In the Agent Setup options page, select the Connect the agent to Azure Log Analytics (OMS) and click Next

10. Paste the Workspace ID and Primary Key into the respective Workspace ID and Workspace Key fields, select your preferred Azure Cloud option (Azure Commercial is default) and click Next:

11. On the Ready to Install page, review your choices and click Install
12. Click Finish once the configuration completes successfully

13. You will now see the Microsoft Monitoring Agent in the Control Panel of the agent computer. Open the properties of the agent, and under the Azure Log Analytics (OMS) tab you will now see a confirming status - The Microsoft Monitoring Agent has successfully connected to the Microsoft Operations Management Suite Service:

As mentioned previously, Log Analytics collects data from the connected sources that you define in your workspace and stores that data in the OMS data stores. The data sources you configure will define the data that is then collected from each connected source. Two data sources that you can start with are Windows events and performance data.

To add a Windows event log data source to OMS, go through the following steps:

1. In the OMS console, click the Settings tile.
2. In the Settings page, click on Data and select Windows Event Logs.
3. In the Log Name field, type the name of an event log you would like to collect. Log Analytics will suggest common event log names based on your entry.

4. Type your log name, or select from the suggestions, and click the + button to add the event log for collection:

OMS supports the collection of Windows and Linux performance counters.

Perform the following steps:

1. In the OMS console, click the Settings tile.
2. On the Settings page, click on Data and click Windows Performance Counters.

3. Click the Add the selected performance counters button to start collecting a list of suggested performance counters. You can uncheck any of the counters before adding the other selections:

4. Once the counters are added, review the counters and the sample collection intervals:

5. Search for additional counters in the entry field, or use the Remove button next to the counter sample interval to remove any counters.

Perform the following steps:

1. In the OMS console, click the Settings tile.
2. On the Settings page, click on Data and click Linux Performance Counters.

3. Click the Add the selected performance counters button to start collecting a list of suggested performance counters. You can uncheck any of the counters before adding the other selections:

To get started with OMS, set up a Log Analytics workspace. A workspace is a container and Azure resource in which data is collected, analyzed, and presented in a portal. It includes account information and simple configuration information for a given account. You can have multiple workspaces to manage different datasets. In order to create a workspace, you will need the following:

• An Azure subscription
• A name for your workspace
• An Azure geographical region

You will also need to associate your workspace with an Azure subscription. A workspace can be used as a granular unit of management for specific workloads, functional teams, or other bases. A Log Analytics workspace provides you with the following:

• Granularity for billing
• Data isolation
• Custom workload configuration
• Geographic location flexibility for data storage

You can get started with OMS by creating a workspace using any of the following methods:

• Create a workspace through the Microsoft OMS overview page
• Create a Log Analytics workspace in the Azure portal
• Create and configure a Log Analytics workspace using Azure Resource Manager templates
• Create and configure a Log Analytics workspace using Log Analytics PowerShell cmdlets

You can subsequently view, administer, and configure your workspace through the user interface portals in either Azure or the OMS website.

Once you add solutions to your workspace and connect sources to the workspace, you can then define the data that gets collected from your connected sources by defining and configuring data sources for your workspace. The configured data sources determine the nature of the collected data. The following are some examples of data sources:

• Windows event logs
• Windows and Linux performance counters
• Syslog
• IIS and custom logs

The collected data is then stored in the OMS repository as a set of records, with each record type having a set of properties.

This collected data can then be queried using the log search feature to combine and correlate the data, and with the emphasis on particular workloads or problem areas using solutions, you can glean insights and take action on the information derived from the data. You can then further analyze the data using the various visualization capabilities in OMS.

Furthermore, you can manage accounts, users, and groups to have some measure of role-based access to your Log Analytics workspace. This can be done using Azure permissions, and in the OMS portal.

In addition to the Insights & Analytics and Security & Compliance solutions described in the previous section, you can also add solutions for Automation & Control (Update Management, Change Tracking, Azure Automation Hybrid Worker), and Protection & Recovery (Azure Backup and Azure Site Recovery) to your OMS Log Analytics workspace.

Perform the following steps:

1. Navigate to the OMS portal (http://oms.microsoft.com) and sign in.
2. On the Overview page, click the Settings tile.
3. Click the Accounts tab and click Manage Users.

While in the Manage Users section, you can perform tasks such as adding and removing users and groups.

Perform the following steps:

1. In the Manage Users section, choose the account type to add. You can choose between an Organizational Account, Microsoft Account, or Microsoft Support.
2. Choose the user type: Administrator, Contributor, or ReadOnly User.
3. Choose whether the account is a User or Group.

4. Enter the name of the account and click Add:

Perform the following steps:

1. While still in the Manage Users section of the Overview | Settings page, locate the user or group you would like to edit or remove from the list of users/groups.

2. Toggle to the relevant user or group type radio button to edit the user type, or click REMOVE next to the username you would like to remove:

There are additional configurations required for adding the Automation & Control and the Protection & Recovery solutions respectively to your workspace, and for use with OMS.

To add the Automation & Control solution, you must create an Automation account or select an existing Automation account. An Automation account is an Azure resource through which you can manage all of your Azure, cloud, and on-premises resources:

1. Navigate to the Azure portal and click the New button. Type Automation & Control into the marketplace search field and press Enter
2. Select Automation & Control in the Everything blade and click Create
3. In the Create New Solution blade, click the OMS Workspace button and select your OMS workspace, and check the recommended solutions you would like to install and click the OMS Workspace Settings tab

4. In the resulting blade, confirm your workspace, Azure Subscription, Location, Resource group, and Pricing tier information, and click Automation account

5. In the Automation account blade, select an existing Automation account or click Create an Automation account:

6. In the Add Automation Account blade, enter the name of your Azure Automation account in the Name field, review the Subscription, Resource group, Location, and Azure Run As account creation options, and click OK:

7. After the deployments are complete, click OK in the OMS Workspace blade, and upon completion of the deployment, click Create in the Automation & Control blade to finish adding the Automation & Control solution to your workspace.

When performing analytics against datasets, the duration of that data is an important consideration, as is its retention. OMS offers a variety of pricing tiers to suit your budget and needs, and the retention periods for the various OMS pricing tiers are very well defined. Remember that there are five pricing tiers that you can choose from for your workspace:

• Free: On the free tier, data is retained for seven days
• Per Node (OMS): Log Analytics makes the last 31 days of data available on this tier
• Per GB (Standalone): Log Analytics makes the last 31 days of data on this tier available
• Standard: On the standard tier, data is retained for 30 days
• Premium: Data on the premium tier is retained for 365 days

The cost of your workspace depends on the pricing tier and the solutions you use. To use OMS entitlements and access all solutions, you can choose between the Per Node (OMS) and Free tiers. Various solutions are also offered in some of the other pricing tiers.

For instance, to use the Network Performance monitoring or Service Map solutions, which are part of the Insights and Analytics solutions, you can choose the Per Node (OMS) or Free tiers. Additionally, to use such solutions as Security and Antimalware (from the Security & Compliance solution) and Update Management and Change Tracking (from the Automation & Control solution) you can choose the Per Node (OMS) or Free pricing tier. Microsoft offers detailed Log Analytics pricing information and a calculator at https://azure.microsoft.com/en-us/pricing/details/log-analytics/?v=17.23h.

Visit the following links for more information:

• Troubleshooting OMS on-boarding issues: https://support.microsoft.com/en-us/help/3126513/how-to-troubleshoot-operations-management-suite-onboarding-issues
• Troubleshooting guide for OMS agents for Linux: https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/Troubleshooting.md