Azure Monitor-Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support for Windows Client Operating Systems

    Currently, when I tried to onboard Windows Client computers (Windows 8.1 and Windows 10 Preview) via SCOM, I get this alert:
    "Event Description: The OS version for the selected computer does not support Advisor Attached Service. Advisor requires Windows Server 2008 or higher."
    I think having Windows client computers in OpInsights via existing SCOM management group would have a reasonable market demand (banks, retailers, etc,). OpInsights would be a good solution for archiving various logs on business critical desktops.
    I am not sure what is the reason not to support Windows client OS at the moment, but is this something…

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  2. SQL Server Intelligence Pack

    SQL Server is one of the most valuable and popular workloads in the world so I"m desperately asking you to build SQL Server Intelligent Pack. Now SQL Server monitoring is only available as SCOM MP, but it has poor data analysis and reporting capabilities. I assume that SC Advisor must be great platform to fill this gap. Another issue of SQL MP is complex configuration (e.g. when you have many DBs or Clustered SQL and, of course, security configuration...). Intelligent pack will be able to solve all these problems! Regarding the most critical monitoring scenarios I'm thinking about space monitoring…

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We have just enabled a ‘SQL Assessment’ Intelligence Pack – around ‘adherence to best practices’ for SQL configuration/risk assessment.

    This is the first of a set of ‘vertical’ assessment IPs for specific technologies/workloads (i.e. SQL, AD, etc) – as opposed to the uber ‘Configuration Assessment’ that was already in the old Advisor.

    Read more here
    http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx

    This has proven to be a successful approach and format for enterprise customers who have been using Microsoft Premier support – programs such as RAP (risk assessment program) tailored around specific technologies have been very successful.

    Not currently focused on real-time ‘monitoring’ scenarios by workload at the moment; that will come as we get more ‘real time’ with the service. In that regard, we believe the right approach is ‘Log Management’ – where you can configure your own log collection. As we add Performance Counter collection too
    http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519061-collect-custom-windows-performance-counters , coupled with dashboards http://blogs.technet.com/b/momteam/archive/2014/10/16/custom-dashboard-in-advisor.aspx

  3. Columns in Search

    Would be nice if you could select the columns you want to see in the search result window as well as being able to resize the column width and select number of rows to see.

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow for more control over alert flow back into SCOM

    It would be nice to have more options in regards to:
    1: Which alert levels should flow back into SCOM
    2: The severity and priority of created alerts in SCOM

    Currently the only options is to either get bombed with alerts when enabling advisor on agents or override your way out of it by basically killing the alert flow completely back into SCOM due to the noise it makes.

    The advices are nice to have, but we dont want them to clutter up the system that should be easy to spot real live errors in.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Today, the alerts for Configuration assessment are generated in the cloud, and those rules (hence the severity) is decided by the content owner – each supported ‘workload’ has a team of experts within Microsoft CSS who create and maintain those rules. Alerts are just pulled down to OpsMgr afterwards, by a single rule, which maintains the original severity. Changing the architecture of the Sync mechanism would be a quite large piece of work and not something we plan to do.

    Anyhow, we documented the detail steps on “how to stop the receiving of Advisor Alerts in Operations Manager”: http://blogs.technet.com/b/momteam/archive/2014/07/24/how-to-stop-the-receiving-of-advisor-alerts-in-operations-manager.aspx

  5. Make a small selection list of the selectable eventlogs in the Log Management intelligence pack

    Maybe it's a good idea to create a dropdown list of Event logs which are present on all Windows servers like SYSTEM, APPLICATION,...

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Log Management and Log Collection Policy  ·  Flag idea as inappropriate…  ·  Admin →

    This went live today, and it’s the first actual feature that the community requested!

    We have added a simple log selection to help out with typing the most common Windows Event logs. Type 3 – THREE – characters… and a list of matching log names will appear.
    The list is not ‘discovered’ – it’s just a list of ‘known’ logs in Windows, but should be helpful in preventing typo’s and spelling mistakes.

  6. Allow multi-select for 'Scope' in Capacity dashboards

    It should be possible to select multiple VMM's Host Groups in the 'Scope' drop down menu, not just one at the time or 'all'.

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Capacity Management Solution  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support for Windows 2003 and 2008 servers (32-bit agent)

    Hi

    We still have some 32-bit servers (Windows Server 2003, but mostly Windows Server 2008). Currently there is only an agent for 64-bit servers. We would like to monitor our 32-bit servers as well and would like to have an agent for these.

    Thanks
    Toon

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We do have the 32bit SCOM agent http://technet.microsoft.com/en-us/library/dn281931.aspx

    For Direct Agent, this is now available for download http://blogs.technet.com/b/momteam/archive/2015/06/24/oms-agent-now-supports-w2k8-sp1-os-and-32bit-systems.aspx

    This is for 2008SP1, anyhow, not 2003 – 2003 goes completely out of support in July – http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/

    Also, some of the solutions might still need to be tweaked to work on downlevel OS with direct agent) or have higher pre-requisites (.net framework, etc).

  8. Active Directory Assessment not accurate

    We have Active Directory assessments coming in as recommended that do not seem accurate. Specifically we have one regarding our domain which indicates that we have only one global catalog server available - whereas in fact all of our DC's are GC's.

    Thu, 09 Jul 2015 14:57:05 GMT | ADAssessmentRecommendation

    Recommendation
    :
    Create additional global catalog servers.

    Description
    :
    Your Active Directory forest contains only one global catalog server (GC). If this server goes offline, domain controllers (DCs) will be unable to resolve objects in other domains within your Active Directory forest. Authentication requests may fail and applications such as…

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Active Directory Assessment Solution  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ability to switch Display Time from Local Time to UTC and back

    User needs to be able to select the preferable format for him to display time in the OMS Portal. (Ability to select LOCAL TIME or UTC)

    Examples where Time appears in the portal are: 1) Time selector widget 2) Time in search results, etc

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,

    With the recent upgrade of Log Analytics, the advanced portal was also introduced.
    This portal provides a rich query editing environment, and includes this feature as well.
    Take a look at the demo environment here: https://portal.loganalytics.io/demo#/discover/query/results/table

    In the basic log search page this feature is not available, but you can still add a “localtime” column with the calculate value, for example:
    Event
    | where TimeGenerated > now(-1d)
    | extend PST = TimeGenerated-8h

    Hope this helps.
    Regards,
    Noa

  10. Scope Collection of events to certain servers

    Maybe it's a good idea to be able to scope the collection of events to certain servers in your Advisor rather than the "nothing or all" approach.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    It’s technically already possible (and fairly straightforward if you have some simple MP authoring skills) to cook up your own MP’s collecting logs and target them to custom objects/targets/computers/groups, and even include more granular Collection criteria (i.e. only certain EventIDs, or certain sources, etc….). But this would be living completely on-premises, and won’t be ‘seen’ or reflected in the configuration UI in the Cloud.

    I have written a how-to here http://blogs.technet.com/b/momteam/archive/2014/08/27/anatomy-of-an-event-collection-rule-for-advisor-preview-advanced-targeting.aspx that explains how the Event collection policy works, and it contains a management pack which features an Authoring template to create this type of rules.
    By choosing your own scoping/targeting in SCOM, you wouldn’t see the errors on the ‘wrong’ machines.

    Offering advanced scoping/targeting options in the cloud would be fairly costly at this stage. We might re-prioritize at a later stage.

  11. Export Search Results to Excel or CSV for custom reporting and analysis of data

    Allowing Excel export with the ability to perform most of the filtering and some pre-processing on Advisor side, and continue in Excel.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

    We have enabled CSV export as a first iteration.
    It’s live now: look for the EXPORT button at the bottom left of the search results page! Read the blog here http://blogs.technet.com/b/momteam/archive/2014/08/29/check-it-out-export-advisor-search-results-to-excel.aspx , use it, and let us know what you think!

    For the (more involved) scope with regards to a ‘true’ PowerBI integration, please look at/vote this new idea http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519374-integrate-with-powerbi-allow-to-query-and-refres

  12. Integrate Search into OpsMgr Dashboards

    Allow contextual search of logs driven by OpsMgr objects and display results in OpsMgr dashboards

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

    At TechED North America this year in our session on System Center Advisor we briefly showed a proof of concept on how to contextually drive System Center Advisor search using Operations Manager dashboards. We now have this integration ready for you all to use.

    The sample dashboards and scripts used to highlight this integration are linked below:

    Sample Advisor dashboard with event search : http://gallery.technet.microsoft.com/PSWB-Dashboards-to-84cc6cef

    Sample simple performance search : http://gallery.technet.microsoft.com/PSWB-Script-to-run-a-d76ef411

    Sample complex performance search : http://gallery.technet.microsoft.com/PSWB-Script-to-run-complex-718255da

    Read more on the momteam blog http://blogs.technet.com/b/momteam/archive/2014/08/14/integrate-system-center-advisor-into-operations-manager-dashboards.aspx

  13. Configuration Assessment Alerts and Recommendation are too many and can't assess business impact and priorities

    Heard from a customer who asked me to post on his behalf: “A real-time streaming laundry list of things I need to do is too much for me. Just tell me the 10 most important things for me to address, how they impact my environment and my company, and how to resolve them. From there, I can manage those recommendations on a weekly or monthly basis and get them done.”

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We have just enabled a ‘SQL Assessment’ Intelligence Pack – around ‘adherence to best practices’ for SQL configuration/risk assessment.

    This is the first of a set of ‘vertical’ assessment IPs for specific technologies/workloads (i.e. SQL, AD, etc) – as opposed to the uber ‘Configuration Assessment’ that was already in the old Advisor.

    The new IPs will feature a ‘relative’ weight for each recommendation – i.e. will tell you how much benefit/improvement you get for my infrastructure if I make a specific change or install a specific patch.

    Read more here
    http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx

    This has proven to be a successful approach and format for enterprise customers who have been using Microsoft Premier support – programs such as RAP (risk assessment program) tailored around specific technologies have been very successful.

  14. Change Tracking: should track changes made to Registry Keys

    Configuration Changes should track changes made to Registry Keys. If a registry key is added, changed, or deleted this change should be tracked. If you could filter this down like you do for alerts. As an example let's say I only care about changes made to HKLM and not HKCU, I could only enable Registry change tracking only for HKLM and not HKCU.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Change Tracking Solution  ·  Flag idea as inappropriate…  ·  Admin →
  15. False positive on "no real time protection" on W10 with Defender default config

    To try out OMS for the first time I enrolled a clean W10 machine with default Defender config (real time enabled).
    OMS reports as "no real time protection".

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Malware Assessment Solution  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add a configurable monitor to alert when pricing tier limits are near saturation.

    If the pricing models that come in are based on an amount of data uploaded per day, then having a monitor that can alert the customer that they are nearing their daily upload limits.

    This monitor should be configurable so the customer can choose at which point they get notified.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  17. tile down

    would like to tile down instead of across for widgets 6x4 or 8x4 seems like it would work.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  My Dashboard  ·  Flag idea as inappropriate…  ·  Admin →
  18. Deep link URL to search results

    Allow sharing of links that go direct to searches. Deep linking doesn't seem to work and always lands me on the home Overview page, but it would be REALLY nice to be able to click on a URL in a OneNote clipping and let it take you to a live view.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,

    With the recent upgrade of Log Analytics, the advanced portal was introduced – and it actually supports this feature.
    This is a demo environment you can use: https://portal.loganalytics.io/demo#/discover/query/results/table
    Once you have a valid query, click the “Export” menu and then “share a link to query”.

    Here is an example link to a query, generated this way:
    https://portal.loganalytics.io/Demo?q=H4sIAAAAAAAAA3MtS80r4eWqUSjPSC1KVQjOLy1KTlWwtVVQciwoyMlMTizJzM9TcC0qyi9S4gIA4iUf2S0AAAA%3D×pan=P1D

    Regards,
    Noa

  19. Delete Logs and custom log

    hey ,
    How can I delete the logs,saved searches and custom logs ?

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  20. Please provide publically available documentation for Solution Packs on collection methods, what data is collected, and all checks performed

    It would be ideal to know what a solution pack is actually doing, how it is doing it and even how often it is doing it so customers can assess enabling it in their environment. This ideally could be a standard practice for any new solution pack created by Microsoft or Partners.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  • Don't see your idea?

Feedback and Knowledge Base