LM Cloud offers custom event integrations that enable you to see AWS, GCP, and Azure-specific events in LogicMonitor and correlate events (such as EC2 instance state change notifications, CloudTrail logs, or Azure Activity logs) with performance data.

The setup and details of these integrations largely vary for GCP, and Azure, so refer to the following sections for additional information.

Visualizing Azure Activity Logs in LogicMonitor

You can use an Azure function to send Azure Activity Logs. You may find this useful for correlating monitoring trends and events that occurred in your Azure account.

Setup Instructions

The event integration is based on an Azure Function. Specifically, you’ll need to add the Function and set up an Azure Activity Log alert rule that triggers the Function based on desired activity log events. The Function, when triggered, will use LogicMonitor’s REST API to add the events as Ops Notes for the specific devices to which they relate. Once the Ops Notes have been created for monitored resources that have associated events, you’ll see them on all device and dashboard graphs for those resources. You can further filter the events that show up using the Ops Notes panel.

Assuming you already have monitored Azure resources in LogicMonitor, you’ll need to perform the following steps to setup the integration:

1. Create a set of API tokens in your LogicMonitor account that the integration will use.  For more information, see API Tokens.

2. Add a new Azure Function App.

3. Add the following script to the HTTP Trigger PowerShell Functions:

# POST method: $req
$requestBody = Get-Content $req -Raw | ConvertFrom-Json

$caller = $requestBody.data.context.activityLog.caller
$source = $requestBody.data.context.activityLog.eventSource
$time = $requestBody.data.context.activityLog.eventTimestamp
$operation = $requestBody.data.context.activityLog.operationName
$resourceId = $requestBody.data.context.activityLog.resourceId 
$resourceGroup = $requestBody.data.context.activityLog.resourceGroupName

Write-Output $resourceId | Out-String

<# account info #>
$accessId = 'API_ID'
$accessKey = 'API_KEY'
$company = 'LM_ACCOUNT'

$encoded = [uri]::EscapeDataString($resourceId)

<# Get Devices request details #>
$httpVerb = 'GET'
$resourcePath = '/device/devices'
$queryParams = '?filter=systemProperties.name:system.azure.resourceid,systemProperties.value:' + $encoded

Write-Output $queryParams | Out-String

<# Construct URL #>
$url = 'https://' + $company + '.logicmonitor.com/santaba/rest' + $resourcePath + $queryParams

<# Get current time in milliseconds #>
$epoch = [Math]::Round((New-TimeSpan -start (Get-Date -Date "1/1/1970") -end (Get-Date).ToUniversalTime()).TotalMilliseconds)

<# Concatenate Request Details #>
$requestVars = $httpVerb + $epoch + $resourcePath

<# Construct Signature #>
$hmac = New-Object System.Security.Cryptography.HMACSHA256
$hmac.Key = [Text.Encoding]::UTF8.GetBytes($accessKey)
$signatureBytes = $hmac.ComputeHash([Text.Encoding]::UTF8.GetBytes($requestVars))
$signatureHex = [System.BitConverter]::ToString($signatureBytes) -replace '-'
$signature = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($signatureHex.ToLower()))

<# Construct Headers #>
$auth = 'LMv1 ' + $accessId + ':' + $signature + ':' + $epoch
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization",$auth)
$headers.Add("Content-Type",'application/json')

<# Make Request #>
$response = Invoke-RestMethod -Uri $url -Method $httpVerb -Header $headers 

<# Print status and body of response #>
$status = $response.status
$body = $response.data

Write-Output "Status:$status"

$deviceId = $body.items.id

Write-Output $deviceId | Out-String

If ($deviceId -ne $Null) {

#####################################

<# Add Ops Note request details #>
$httpVerb = 'POST'
$resourcePath = '/setting/opsnotes'
$data = '{"note":"caller:' + $caller + ', source:' + $source + ', operation:' + $operation + '","tags":[{"name":"Azure Activity Log"}],"scopes":[{"type":"device","deviceId":"' + $deviceId + '"}]}'

<# Construct URL #>
$url = 'https://' + $company + '.logicmonitor.com/santaba/rest' + $resourcePath

<# Get current time in milliseconds #>
$epoch = [Math]::Round((New-TimeSpan -start (Get-Date -Date "1/1/1970") -end (Get-Date).ToUniversalTime()).TotalMilliseconds)

<# Concatenate Request Details #>
$requestVars = $httpVerb + $epoch + $data + $resourcePath

<# Construct Signature #>
$hmac = New-Object System.Security.Cryptography.HMACSHA256
$hmac.Key = [Text.Encoding]::UTF8.GetBytes($accessKey)
$signatureBytes = $hmac.ComputeHash([Text.Encoding]::UTF8.GetBytes($requestVars))
$signatureHex = [System.BitConverter]::ToString($signatureBytes) -replace '-'
$signature = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($signatureHex.ToLower()))

<# Construct Headers #>
$auth = 'LMv1 ' + $accessId + ':' + $signature + ':' + $epoch
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization",$auth)
$headers.Add("Content-Type",'application/json')

<# Make Request #>
$response = Invoke-RestMethod -Uri $url -Method $httpVerb -Body $data -Header $headers 

<# Print status and body of response #>
$status = $response.status
$body = $response.data | ConvertTo-Json -Depth 5

Write-Output "Status:$status"
Write-Output "Response:$body"
}

4. Get the function URL (upper right of function text) – you’ll need to add this to your Azure Activity Log alert rule.

5. Within the Monitor service, select the Alerts section and configure an activity log alert that matches the events you want to see in LogicMonitor. You must add a new Action of type Webhook, and add the Function URL as the description.

Once the steps are complete, all Azure Activity Logs that match your rule configured in step 5 should be added as LogicMonitor Ops Notes for the specific monitored resources to which they relate to which they relate.

LogicMonitor automatically adds Dashboards and Reports when you add an AWS, Microsoft Azure, or GCP account into monitoring. This provides you with instant visibility into your cloud environments and includes both overview and service-specific views. These automatically generated Dashboards and Reports provide a starting point based on best practices, but you can customize them for your specific environment.

The information displayed in the Dashboards and Reports will depend on the services you select for monitoring. For example, If you have not provided S3 bucket information in which your billing data is stored, the Billing widgets will not be displayed on an AWS Overview dashboard.

Currently, auto-generated Dashboards and Reports are only added for new AWS, Microsoft Azure, and GCP accounts added into LogicMonitor.

A Dashboard group and a Report group are automatically generated and added for AWS, Microsoft Azure, or GCP accounts into LogicMonitor. Automatically generated Dashboards and Reports are placed in auto-generated Dashboard and Report groups, respectively. Dashboard and Report groups are named based on the name you assigned the AWS, Microsoft Azure, or GCP account in LogicMonitor. 
For example, when you add a new AWS account named ‘Prod AWS’, a Dashboard group named ‘Prod AWS Dashboards’ and a Report group named ‘Prod AWS Reports’ is generated.

The following Dashboards and Reports are currently auto-generated for AWS, Microsoft Azure, and GCP accounts:

Cloud environment overview
An overview dashboard is added for all new cloud accounts. The dashboard includes an overview of your cloud environment. Also, the dashboard displays the service-specific NOC status, any alerts, any reported cloud availability disruptions, and billing data (if you have selected billing for monitoring). You can use this dashboard to share with execs or as a starting point to narrow down and localize where an issue is coming from during troubleshooting.

Service-specific dashboards for EC2 and EBS
Each service-specific dashboard includes a NOC of the resources, the cost related to the service, any service limit utilization that can be displayed, relevant service alerts, critical metrics for the service, and any issues with the cloud provider availability.

Service Utilization across services
Reports are auto-generated for new cloud accounts you add into LogicMonitor and can display information that is better suited to report format. The report format makes it easy to share information across teams, or you can review reports every week.

If you’re an existing customer, you may already be monitoring AWS or Microsoft Azure resources with LogicMonitor. The steps to take advantage of LogicMonitor Cloud Monitoring features largely depend on how you are monitoring AWS, Azure, or GCP resources now. Identify the scenario that matches your own, and follow the steps corresponding to that scenario:

1. Currently monitoring both Collector and CloudWatch metrics–I am monitoring AWS EC2 instances and Azure VMs as traditional LogicMonitor resources, and I’ve already added my AWS, Azure, or GCP account into LogicMonitor.
2. Currently monitoring only Collector metrics–I am monitoring AWS EC2 instances and Azure VMs  as traditional LogicMonitor resources, but I have not added my AWS, Azure, or GCP account into LogicMonitor.
3. Currently monitoring only CloudWatch metrics–I’ve added my AWS, Azure, and GCP account into LogicMonitor, but I’ve not added EC2 instances and VMs as traditional LogicMonitor resources to get local Collector metrics.

Currently Monitoring Both Collector and CloudWatch Metrics

If you already have cloud VMs added as traditional LogicMonitor resources and already have your cloud account into LogicMonitor, you can do the following to consolidate monitoring for your VMs and take advantage of cloud monitoring features:

1. Enable monitoring via local Collector in your existing AWS, Azure, or GCP account–Lets you see Collector metrics in the same view in which you already see CloudWatch and Azure Monitor API metrics.
   
   This will result in duplicate monitoring of the Collector data (once for the traditional version of the device and now once for the cloud version of the device). The best option is to monitor the cloud VM in duplicate like this for as long as you want to retain historical data for, and then remove the non-cloud version of the device.
   
   During your free trial period of LogicMonitor Cloud Monitoring, this duplicate monitoring will not cost you, and at the end of it, you can choose to:
   • Delete the traditional version of resource (would lose history older than 6 months) – provides you with a unified view. Deleting these resource will impact any dashboard, report, or alerting configurations associated with the resource. 
   • Turn off local Collector monitoring for AWS EC2 instances, Azure VMs, or GCP compute engines and keep the traditional version of resource. In this case, you continue to maintain separate views.
2. Import new LogicModules–Gets additional monitoring for resources, cloud provider availability, and billing.
3. (Optional) Set up Cloud Logs – Enables you to get event data as logs and troubleshoot faster with anomaly detection and log or metric correlation. For more information, see these instructions for Setting up AWS Logs Ingestion, Setting up Azure Logs Ingestion, Setting up GCP Logs Ingestion.

Currently Monitoring Only Collector Metrics

If you have not added an AWS or Azure account into LogicMonitor, you can do the following to get more visibility into your cloud VMs:

1. Add your AWS, Azure, or GCP account into LogicMonitor – Enables you to get account level metrics (such as service limits, cloud provider availability) and monitor Collector data. You can also choose to see CloudWatch and Azure Monitor data in the same view, while taking advantage of LogicMonitor’s automated discovery. If CloudWatch or Azure Monitor data is not desired, the EC2 or Azure Virtual Machines datasources can be disabled.  
   
   Enabling monitoring via local Collector will result in duplicate monitoring of the Collector data (once for the traditional version of the device and now once for the cloud version of the device). The best option is to monitor the cloud VM in duplicate like this for as long as you want to retain historical data for, and then remove the non-cloud version of the device.
   
   During your free trial period of LogicMonitor Cloud Monitoring, this duplicate monitoring will not cost you, and at the end of it, you can choose to:
   • Delete the traditional version of resource (would lose history older than 6 months) – provides you with a unified view. Deleting these resource will impact any dashboard, report, or alerting configurations associated with the resource. 
   • Turn off local Collector monitoring for AWS EC2 instances, Azure VMs, or GCP compute engines and keep the traditional versions of resources. In this case, you continue to maintain separate views
   • Turn off local Collector monitoring for AWS EC2 instances and Azure VMs, but continue to monitor other AWS and Azure services and account level data.
2. Import new LogicModules – Gets additional monitoring for resources, cloud provider availability, and billing.
3. (Optional) Set up Cloud Logs – Enables you to get event data as logs and troubleshoot faster with anomaly detection and log or metric correlation. For more information, see these instructions for Setting up AWS Logs Ingestion, Setting up Azure Logs Ingestion, Setting up GCP Logs Ingestion.

Currently Monitoring Only CloudWatch Metrics

If you already have an AWS, Azure, or GCP account monitored in LogicMonitor, you can do the following to take advantage of the LogicMonitor Collector and get more visibility into your cloud VMs:

1. Enable monitoring via local Collector in your existing AWS, Azure, and GCP account – Lets you see Collector metrics in the same view in which you already see CloudWatch and Azure Monitor API metrics.
2. Import new LogicModules – Gets additional monitoring for resources, cloud provider availability, and billing.
3. (Optional) Set up Cloud Logs – Enables you to get event data as logs and troubleshoot faster with anomaly detection and log or metric correlation. For more information, see these instructions for Setting up AWS Logs Ingestion, Setting up Azure Logs Ingestion, Setting up GCP Logs Ingestion.

LM Cloud provides seamless setup and API-based monitoring of AWS, GCP, and Microsoft Azure environments. It also supports business-critical SaaS applications, such as Office 365, Salesforce, Zoom, or any supported by Atlassian Statuspage.io. It includes a fast, three-step setup wizard that automatically discovers, applies, and scales monitoring for your entire Cloud ecosystem. LM Cloud offers executive-level dashboards and deep-dive technical insights into AWS, GCP, and Microsoft Azure together with other infrastructure on one unified platform.

Cloud Monitoring Strategy

The Cloud monitoring strategy includes the following components critical to measuring the overall health and performance of your Cloud infrastructure.

Cloud Data Collection

LogicMonitor collects data using the following methods:

• Application program interface (API) offered by the Cloud provider
• LogicMonitor Collector

A LogicMonitor Collector is not required for LM Cloud, but it provides more comprehensive monitoring for your Cloud resources. It offers OS-level, application, and custom metrics for AWS EC2 instances and Azure VMs, which are not available through their monitor APIs. For example, a collector installed within AWS monitors Apache running on any EC2 instance and traditional OS-level metrics such as disk usage and memory usage (not reported with AWS CloudWatch). The collector also offers Cloud provider availability checks. For more information, see About the LogicMonitor Collector.

Cloud Monitoring Setup Wizard

Cloud monitoring begins with a setup wizard that automatically discovers your Cloud account and adds it to your LogicMonitor resources. The wizard collects permissions, services, and billing information about your Cloud account. Once the information you provide is submitted and verified, your Cloud environment is added to the LogicMonitor Resources page. There are setup wizards for:

• Adding AWS Cloud Monitoring
• Adding Azure Cloud Monitoring
• Adding GCP Monitoring

Cloud Resources

Cloud resources automatically discovered by the setup wizard are displayed on the Resources page. DataSources that are pre-configured to perform API calls and queries are automatically applied to discovered resources. If you have a collector deployed within your Cloud environment, traditional collector DataSources based on SNMP or WMI, are also automatically applied to discovered resources. Cloud resources are displayed in the Resources Tree as follows:

Resource	Description
Cloud Account Group	Top-level group that contains all monitored Cloud resources and services. This group uses the name provided in the setup wizard.
Cloud Service Group	Service-level group that includes all resources for a specific Cloud service. Each service may include: * Resource or resource group * DataSource or DataSource group * Instance or instance group
Cloud Account Resource	Account-level resource that displays Cloud account information that is not tied to a specific service. This resource is named based on the name provided in the setup wizard and includes information about: * Account-level health * Service limit utilization * Provider service disruptions or outages

Billing Monitoring

You can monitor billing information about your Cloud accounts. For more information:

• AWS Billing Monitoring
• Azure Billing Monitoring
• GCP Billing Monitoring

Dashboards and Reports

LogicMonitor automatically creates dashboards and reports when you add an AWS, Microsoft Azure, or GCP account into monitoring. This provides you with instant visibility into your cloud environments and includes both overview and service-specific views. These dashboards and reports provide a starting point based on best practices, but you can customize them for your specific environment. For more information, see Dashboard Overview.

The following dashboards and reports are auto-generated for AWS, Microsoft Azure, and GCP accounts:

• Cloud environment overview
• Service-specific dashboards for AWS EC2 and EBS
• Service utilization

Cloud Resource Tagging and Filtering

Tags are key-value pairs (metadata) that you set in your Cloud provider console (AWS, Azure, GCP). You can use tags to help identify and organize your Cloud resources.

Tags

Once resources are discovered and added to LogicMonitor, any tags associated with those resources are added as resource properties. You can access tags in LogicMonitor by navigating to the Cloud resource and selecting Manage > Services > Default Settings > Tags.

Tag Filters

Using tag filters, you can determine which Cloud resources are auto-discovered by LogicMonitor. You can perform Include or Exclude operations on the Tag Key and Tag Value that you enter. Glob expressions are also supported for tag filtering. For more information, see Using Glob Expressions.

Tag Formatting

Tags are added and displayed as device properties in the following format:
system.<cloud-provider-name>.tag.NAME=VALUE

NAME and VALUE refer to the name and value of the tag, respectively. Tag filters are case sensitive. For example, the following table displays how LogicMonitor property names correspond to an AWS tag name:

Tag Referencing

You can reference tags throughout your LogicMonitor account. For example, to create a dynamic group of AWS resources that have a specific tag, you could use the following AppliesTo (custom query):

system.aws.tag.NAME=~“VALUE”

Monitored Locations

Locations, also referred to as regions or zones depending on the Cloud provider, are the geographical locations of data centers or hubs where Cloud resources reside. These are displayed on the Locations tab on your Resources page. LM Cloud includes the following locations.

AWS Locations

For more information, refer to the AWS documentation for Regions and Zones.

Azure Locations

For more information, refer to the Azure documentation for Azure geographies.

GCP Locations

For more information, refer to the GCP documentation for Regions and zones.