Adding Your Azure Environment to LogicMonitor


With LogicMonitor, you can monitor the state of your Azure deployment and the underlying services and license usage that allows you to identify faults and manage performance.

Requirements

To add your Azure environment to LogicMonitor, you must have:

  • The Application (Client) ID, Directory (tenant ID), and client Secret Key value for a registered application in Microsoft Azure. Consider creating a New App registration in the Azure portal before you start so that you have these IDs and Secret Key available for setting up permissions. For more information, follow the steps for Setting Up LogicMonitor Account in Azure.

For a list of Azure services monitored, see Cloud Monitoring Overview.

Setting Up LogicMonitor Account in Azure

1. Log into your Azure portal using an administrator account.

2. From the Azure Services menu, click Azure Active Directory.

Note: Tenant ID is displayed on the Azure Active Directory home screen. The Tenant ID will be required while adding the Azure account in LogicMonitor

3. Navigate to Manage > App registrations and click +New registration.

4. On the Register an application page, enter the following details:

  • Name: Enter a display name for the application. This name will be used throughout your Azure portal and does not have any specific requirements.
  • Supported account types: Select the Accounts in this organizational directory only option.
  • Redirect URI: This setting is optional and can be left unspecified. Enter the name for the application.


5. Click Register.

6. On the Registration page, you can see the Application (client) ID and Directory (tenant) ID.

Note: You will require the Application ID for the LogicMonitor portal configuration.

7. On the left navigation pane, click Certificates & secrets.

8. Add +New client secret.

9. On the Add a client secret pane, add information in the Description and the Expires fields.

10. Click Add.

Note: Ensure to copy or make a note of the Client Secret Key value. You will not be able to view the information once you navigate away from the page. You will need to enter the value in the LogicMonitor configuration.

Adding Subscription Details in Azure

For adding subscription details in Azure for the LogicMonitor account, complete the following steps:

1. Navigate to Azure portal > Azure Services > Subscriptions and click Add.

2. Click the desired subscription name to monitor, for example, we selected the Product Team in the Subscription Name field.

3. On the Registration page, you can see the Subscription ID, Offer ID, and Start Day of Billing Cycle.

Note: You will require these details for the LogicMonitor portal.


4. On the Subscription Name (Product Team) page, from the left navigation pane, select Access control (IAM).

5. Click +Add and select Add role assignment.

6. On the Add role assignment page, click Role and select a role.

Note: You must select at least a Reader role.

7. Once you have selected the role, click Members.

8. From the Members tab, click +Select members and select the required member.

9. Select the registered application name and click Select.

10. To review and save changes, click on the Review + assign tab.

Note: You can also add large number of subscriptions. For more information, see Adding Large Number of Subscriptions topic.

Adding Azure account into LogicMonitor

For adding your Azure account into LogicMonitor for monitoring, complete the following steps:

  1. Add your Azure account into LogicMonitor from Exchange > Cloud Integrations.

  2. Select Azure and click Add.

  3. On the Name page, enter the following:
    • Name (required)
    • Description
    • Parent Group (required): The default value is the root group of the portal.
    • Properties

  4. On the Permissions page, enter the following:
    • Tenant ID (required): The Directory ID for the registered application.
    • Client ID (required): The Application ID for the registered application.
    • Secret Key (required): The application password.
    • Subscriptions selected: Click Get Subscriptions.

Note: You can find this information in your Microsoft Azure portal, on the registration page for your app. For more information, follow the steps for Setting Up LogicMonitor Account in Azure.

All subscriptions available to LogicMonitor based on the permissions you’ve configured will be listed. If you don’t see one or more subscriptions you expect to see, ensure that the application you created in Azure has reader permissions for those subscriptions.

5. Click Next: Services and on the Services page, select the services that you want to monitor.

Note: If you’re adding LogicMonitor services for Backup Protected Items or Recovery Protected Items, you need to make configuration changes to the Recovery Service Vault and Log Analytics Workspace in Microsoft Azure. For more information, see Forwarding Backup and Recovery Events.

6. Click Default Settings to configure services. For more information, see Configuring Azure Services for Monitoring section.

7. Click Test Permissions.

8. Click Next: Billing.

9. On the Billing page, enter Subscription ID, Offer ID, and the Start Day of Billing Cycle.


For billing information details, navigate to your Azure account > Subscriptions > select the required subscription name. On the left panel, click Overview.

10. Click Add Billing.

11. Click View Azure Resources.

You should be able to view resources and dashboards from your Azure application.

Forwarding Backup and Recovery Events

LogicMonitor gathers data from Log Analytics workspaces in your Azure account. To support monitoring of Backup Protected Items or Recovery Protected Items services, you must forward diagnostic events from your Azure Recovery Service vault to a Log Analytics workspace. To do so:

  1. Determine the target Log Analytics workspace
  2. Forward backup events to Log Analytics
  3. Forward site recovery events to Log Analytics

Determine the Target Log Analytics Workspace

In Azure, the Log Analytics workspace retains the forwarded diagnostic event data and makes it available for LogicMonitor to query. 

Note: You must determine the Log Analytics workspace to which backup and site recovery events will be forwarded.

Log Analytics Workspace Architecture

Log Analytics workspace architecture is customer-dependent. If you already have a Log Analytics workspace implementation, you can leverage an existing architecture. If you don’t, you can create a Log Analytics workspace to retain all events. LogicMonitor does not require a specific architecture, however:

  • There must be at least one Log Analytics workspace in your Azure account.
  • The vault must forward its backup and site recovery events to at least one Log Analytics workspace (new or existing).

For more information, see Design a Log Analytics workspace architecture.

Forward Backup Events to Log Analytics

Use an Azure policy to forward backup events. This ensures that diagnostic settings are applied consistently across all recovery service vaults, without having to configure event forwarding for each. Microsoft offers a built-in Azure policy for forwarding backup events to Log Analytics. For more information, see Configure Vault Diagnostics settings at scale.

Forward Site Recovery Events to Log Analytics

To forward site recovery events to Log Analytics:

  1. Add a Site Recovery policy to the Azure account.
  2. Assign the Site Recovery policy.

Add a Site Recovery Policy to the Azure Account

  1. Sign in to the Azure portal and navigate to the Policy dashboard.
  2. Select Definitions.
  3. Click [+ Policy Definition].
  4. Enter the following:
    • Definition location— Click the Launch Scope Selector (three dots) next to this field and select a subscription.
    • Name—  Use the value Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for AzureSiteRecovery categories.
    • Category— Select Use Existing and then select Backup from the drop-down list.
    • Policy Rule— Copy and paste the contents of AzureSiteRecoveryPolicy.json:
{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allof": [
        {
          "field": "type",
          "equals": "Microsoft.RecoveryServices/vaults"
        },
        {
          "not": {
            "field": "[concat('tags[',parameters('tagName'), ']')]",
            "equals": "[parameters('tagValue')]"
          }
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "existenceCondition": {
          "allof": [
            {
              "count": {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                "where": {
                  "allof": [
                    {
                      "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
                      "in": [
                        "AzureSiteRecoveryJobs",
                        "AzureSiteRecoveryEvents",
                        "AzureSiteRecoveryReplicatedItems",
                        "AzureSiteRecoveryReplicationStats",
                        "AzureSiteRecoveryRecoveryPoints",
                        "AzureSiteRecoveryReplicationDataUploadRate",
                        "AzureSiteRecoveryProtectedDiskDataChurn"
                      ]
                    },
                    {
                      "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
                      "equals": "True"
                    }
                  ]
                }
              },
              "Equals": 7
            },
            {
              "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
              "notEquals": ""
            },
            {
              "field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType",
              "equals": "AzureDiagnostics"
            }
          ]
        },
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
          "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "vaultName": {
                  "type": "string"
                },
                "logAnalytics": {
                  "type": "string"
                },
                "profileName": {
                  "type": "string"
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings",
                  "apiVersion": "2017-05-01-preview",
                  "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                  "dependsOn": [],
                  "properties": {
                    "workspaceId": "[parameters('logAnalytics')]",
                    "logAnalyticsDestinationType": "AzureDiagnostics",
                    "metrics": [],
                    "logs": [
                      {
                        "category": "AzureSiteRecoveryJobs",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryEvents",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryReplicatedItems",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryReplicationStats",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryRecoveryPoints",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryReplicationDataUploadRate",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryProtectedDiskDataChurn",
                        "enabled": "true"
                      }
                    ]
                  }
                }
              ],
              "outputs": {
                "policy": {
                  "type": "string",
                  "value": "[concat(parameters('logAnalytics'), 'configured for AzureDiagnostics logs for ', ': ', parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
                }
              }
            },
            "parameters": {
              "logAnalytics": {
                "value": "[parameters('logAnalytics')]"
              },
              "vaultName": {
                "value": "[field('name')]"
              },
              "profileName": {
                "value": "[parameters('profileName')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {
    "profileName": {
      "type": "String",
      "metadata": {
        "displayName": "Profile name",
        "description": "The diagnostic settings profile name"
      },
      "defaultValue": "setbypolicy_logAnalyticsAzureSiteRecovery"
    },
    "logAnalytics": {
      "type": "String",
      "metadata": {
        "displayName": "Log Analytics workspace",
        "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
        "strongType": "omsWorkspace",
        "assignPermissions": true
      }
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Exclusion Tag Name",
        "description": "Name of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Value parameter."
      },
      "defaultValue": ""
    },
    "tagValue": {
      "type": "String",
      "metadata": {
        "displayName": "Exclusion Tag Value",
        "description": "Value of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Name parameter."
      },
      "defaultValue": ""
    }
  }
}

Assign the Site Recovery Policy

  1. Sign in to the Azure portal and navigate to the Backup center dashboard.
  2. Go to Policy and compliance > Azure policies for backup for a list of all built-in policies across Azure resources.
  3. Locate and select the policy named Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for AzureSiteRecovery categories. The policy definition page appears.
  4. Click Assign. The Assign policy page appears.
  5. Select the Basics tab.
  6. On the Scope field, click the Launch scope collector (three dots). The Scope panel appears. Select the subscription for the policy. Optionally, you can select a resource group so that the policy is applied only to vaults in a particular resource group.
  7. Select the Parameters tab.
  8. Deselect Only show parameters that need input or review and then enter the following information:
    • Profile Name— The name that will be assigned to the diagnostics settings created by the policy.
    • Log Analytics Workspace— The workspace to which the diagnostics setting will be associated. Diagnostics data of all vaults in the scope of the policy assignment will be pushed to the specified Log Analytics Workspace.
    • Exclusion Tag Name and Exclusion Tag Value (optional)— You can choose to exclude vaults containing a certain tag name and value from the policy assignment.Example: If you do not want a diagnostics setting to be added to those vaults that have a tag isTest set to the value yes, you must enter isTest in the Exclusion Tag Name field and yes in the Exclusion Tag Value field. If any (or both) of these two fields are left empty, the policy will be applied to all relevant vaults regardless of the tags they contain.
    • Create a remediation task— Once the policy is assigned to a scope, Log Analytics diagnostic settings are automatically configured for any new vaults created in that scope (within 30 minutes). To add a diagnostics setting to existing vaults in the scope, you can trigger a remediation task at policy assignment time. To trigger a remediation task, select the Create a Remediation task.
  9. Select the Review+Create tab and click Create.

Configure Azure Services for Monitoring

To configure Azure services for Monitoring complete the following steps:

1. In the Azure Services section of the dialog, click Default Settings.

2. On the Default Settings page, click Global Settings.

3. From the NetScan Frequency drop-down list, you can select the preferred frequency for scheduling NetScans.

4. Enable Automatically delete terminated Azure resources option, to automatically remove dead instances.
You can further select whether this should happen immediately or after a specified period during which no data is received for the instance.

5. Enable Automatically disable alerting for terminated Azure resources to disable alerting for terminated instances ensures you will not receive any alerts once instances are terminated if they are not scheduled to be automatically deleted.

Note: LogicMonitor intelligently and automatically stops Azure Monitor API data collection once instances are terminated, this option will ensure you do not receive alerts for traditional Collector DataSources like Ping.

6. In the Monitored Regions section, you can select the regions that you want to monitor.

7. Click Tags, to monitor only certain Azure instances for a particular service, you can tag those instances from your Azure portal and apply a tag filter to that service in LogicMonitor.

Note: If you specify a Tag filter, only Azure resources that meet the filter criteria will be added to your LogicMonitor account. Following are the criteria:

  • You can use glob expressions with the tag filter (e.g. tag value = prod*).
  • Resources will be discovered if they contain one or more tags specified with an include operation but not any of the exclude tags.
  • The tag filter is case sensitive.

Adding Large Number of Subscriptions

For a large number of subscriptions, you may want to consider assigning permissions via PowerShell. For example, the following PowerShell script will add an AAD application for LogicMonitor and add the application as a reader to each subscription available to the user that runs the script.

# Authenticate to all Azure subscriptions that the user has access to
Login-AzureRmAccount

# Password for the service principal
$pwd = "{service-principal-password}"

# Create a new Azure AD application
$azureAdApplication = New-AzureRmADApplication `
             -DisplayName "LogicMonitor" `
             -HomePage "https://lmtest.logicmonitor.com" `
             -IdentifierUris "https://lmtest.logicmonitor.com" `
             -Password $pwd

# Create a new service principal associated with the designated application
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

# Assign Reader role to the newly created service principal for each subscription
Get-AzureRmSubscription | ForEach-Object {
  Set-AzureRmContext -SubscriptionId $_.SubscriptionId
  New-AzureRmRoleAssignment -RoleDefinitionName Reader `
            -ServicePrincipalName $azureAdApplication.ApplicationId.Guid
}
In This Article