Azure Security center agents and if they are required RRS feed

  • Question

  • Hi,

    I'm trying to understand what is covered with each of the agents MMA and log analytics agent. Also if any agent is required at all.

    The documentation online is very misleading. Some documents refer to the MMA as the log analytics agent and visa vera and the direct agent? 

    Can someone answer these questions please

    If security Center is set to Free and the data collection is OFF

    1, Are there any agents installed automatically on my VM's?

    2, Do I need to install the MMA agent as an extension on each VM for security center to display the threats? 

    3, what is the direct agent and where does it come from, what product/service installs it?

    Friday, October 18, 2019 4:45 PM

All replies

  • The Azure Log Analytics agent, previously referred to as the Microsoft Monitoring Agent (MMA) or OMS Linux agent, was developed for comprehensive management across on-premises machines, computers monitored by System Center Operations Manager, and virtual machines in any cloud. The Windows and Linux agents attach to an Azure Monitor and store collected log data from different sources in your Log Analytics workspace, as well as any unique logs or metrics as defined in a monitoring solution.

    Ref: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

    Azure Security Center automatically provisions the Log Analytics agent and connects it with the default Log Analytics workspace of the Azure subscription.

    Regardless of Data Collection is ON or OFF, automatic installation of MMA agent is dependent on feature called "Auto Provisioning". 

    This enables the automatic installation of the Microsoft Monitoring Agent on all the VMs in your subscription. If enabled, any new or existing VM without an installed Microsoft Monitoring agent (MMA) extension, will have it provisioned.

    Automatic provisioning is off by default. To set Security Center to install automatic provisioning by default, set it to On.

    Ref: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

    Azure Monitor logs provides monitoring capabilities across cloud and on-premises assets. 

    Ref: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#install-and-configure-agent

    When to use agent as extension: 

    The extension installs the Log Analytics agent on Azure virtual machines, and enrolls virtual machines into an existing Log Analytics workspace. 

    Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows

    When to use agent as installer:

    In order to monitor and manage virtual machines or physical computers in your local datacenter or other cloud environment with Azure Monitor, you need to deploy the Log Analytics agent (also referred to as the Microsoft Monitoring Agent (MMA)) and configure it to report to one or more Log Analytics workspaces. 

    Ref: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

    Hope this helps.

    • Proposed as answer by Ben.Paul Saturday, October 19, 2019 8:00 AM
    • Unproposed as answer by Ben.Paul Friday, April 3, 2020 10:41 AM
    • Proposed as answer by Ben.Paul Friday, April 3, 2020 10:41 AM
    Saturday, October 19, 2019 8:00 AM
  •  Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    Friday, October 25, 2019 10:51 PM