The Microsoft Monitoring Agent (MMA), also known as the Log Analytics Agent, was retired in August 2024. Organizations still running MMA on their virtual machines are operating on an unsupported agent, which means no further security updates, bug fixes, or feature additions.
This post covers the key differences between MMA and the Azure Monitor Agent (AMA), and provides a step-by-step approach to completing the migration.
1. Why the Change Was Made
The legacy MMA was designed before the current Azure Monitor architecture existed. It had several limitations that AMA addresses:
- MMA required workspace credentials stored on the VM — AMA uses Managed Identity, eliminating credential management
- MMA used a single, workspace-centric configuration — AMA uses Data Collection Rules (DCRs), which separate configuration from deployment and allow the same rule to apply to many machines
- MMA could not filter data before ingestion — AMA supports KQL transformations at the DCR level, reducing ingestion costs by filtering unnecessary rows before they reach the workspace
- MMA had limited Linux support — AMA has full feature parity across Windows and Linux
2. Prerequisites
Before migrating, confirm the following:
- All target VMs have a System-assigned or User-assigned Managed Identity enabled. Navigate to VM > Identity and confirm the status is On
- The destination Log Analytics workspace is identified
- Any solutions currently deployed through MMA (such as Update Management, Change Tracking, or Security Center) have been reviewed. Some solutions have separate migration paths
3. Creating a Data Collection Rule
Data Collection Rules define what data AMA collects and where it sends it. A single DCR can be assigned to multiple VMs.
- Navigate to Azure Monitor > Data Collection Rules > + Create
- Select the Platform type (Windows, Linux, or Both)
- Under Data sources, select Add data source
- Choose the data type — for example, Windows Event Logs or Linux Syslog
- Configure the specific event channels or facility/severity levels required
- Under Destinations, add the target Log Analytics workspace
- Select Review + create
Following is a recommended set of data sources for a standard Windows server DCR:
| Data Source | Configuration |
|---|---|
| Windows Event Logs | System: Critical, Error, Warning / Security: Audit Failure |
| Performance Counters | CPU, Memory, Disk — 60 second sample rate |
| Syslog (Linux) | daemon, kern, syslog — Warning and above |
4. Assigning the DCR to Virtual Machines
- Open the newly created DCR
- Navigate to Resources > + Add
- Select the VMs to assign the rule to
- Select Apply
AMA is automatically installed on the VM during DCR assignment if it is not already present. Verify the installation by navigating to VM > Extensions + applications and confirming the AzureMonitorWindowsAgent or AzureMonitorLinuxAgent extension is present and in a Succeeded state.
5. Validating Data Flow and Removing MMA
Before removing MMA, validate that data is flowing correctly through AMA.
Navigate to Log Analytics workspace > Logs and run:
Heartbeat
| where TimeGenerated > ago(1h)
| where Category == "Direct Agent"
| summarize count() by Computer
Confirm that all migrated VMs appear in the results. Once validated, remove the MMA extension from each VM via VM > Extensions + applications, select MicrosoftMonitoringAgent, and select Uninstall.
Summary
The MMA to AMA migration is a prerequisite for maintaining supported, secure monitoring across Azure virtual machines. The transition to Data Collection Rules introduces a more flexible and cost-efficient configuration model. Completing the migration removes a known technical debt item and unlocks access to AMA-only features such as ingestion-time transformations and multi-homing to multiple workspaces.
No comments:
Post a Comment