Azure Monitor-Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Purging non-reporting servers (Configuration Assessment Legacy screens)

    I use to find it annoying that, after I removed a server from "Advisor Managed" in SCOM, I then had to go to Advisor and delete it there too. It seems that one of the recent updates changed how that all works, but not necessarily for the better. Some Advisor Managed server were deleted from SCOM without any effort to proactively remove them from Advisor. I just received a "Microsoft System Center Advisor: Summary Update" email identifying them as non-reporting servers. Unfortunately, I don't see a way in the current iteration of Advisor to remove them from Advisor's configuration/inventory. Am…

    21 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  2. Allow for more control over alert flow back into SCOM

    It would be nice to have more options in regards to:
    1: Which alert levels should flow back into SCOM
    2: The severity and priority of created alerts in SCOM

    Currently the only options is to either get bombed with alerts when enabling advisor on agents or override your way out of it by basically killing the alert flow completely back into SCOM due to the noise it makes.

    The advices are nice to have, but we dont want them to clutter up the system that should be easy to spot real live errors in.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Today, the alerts for Configuration assessment are generated in the cloud, and those rules (hence the severity) is decided by the content owner – each supported ‘workload’ has a team of experts within Microsoft CSS who create and maintain those rules. Alerts are just pulled down to OpsMgr afterwards, by a single rule, which maintains the original severity. Changing the architecture of the Sync mechanism would be a quite large piece of work and not something we plan to do.

    Anyhow, we documented the detail steps on “how to stop the receiving of Advisor Alerts in Operations Manager”: http://blogs.technet.com/b/momteam/archive/2014/07/24/how-to-stop-the-receiving-of-advisor-alerts-in-operations-manager.aspx

  3. Configuration Assessment Alerts and Recommendation are too many and can't assess business impact and priorities

    Heard from a customer who asked me to post on his behalf: “A real-time streaming laundry list of things I need to do is too much for me. Just tell me the 10 most important things for me to address, how they impact my environment and my company, and how to resolve them. From there, I can manage those recommendations on a weekly or monthly basis and get them done.”

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We have just enabled a ‘SQL Assessment’ Intelligence Pack – around ‘adherence to best practices’ for SQL configuration/risk assessment.

    This is the first of a set of ‘vertical’ assessment IPs for specific technologies/workloads (i.e. SQL, AD, etc) – as opposed to the uber ‘Configuration Assessment’ that was already in the old Advisor.

    The new IPs will feature a ‘relative’ weight for each recommendation – i.e. will tell you how much benefit/improvement you get for my infrastructure if I make a specific change or install a specific patch.

    Read more here
    http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx

    This has proven to be a successful approach and format for enterprise customers who have been using Microsoft Premier support – programs such as RAP (risk assessment program) tailored around specific technologies have been very successful.

  4. Configuration Assessment Alerts 'Ignore' or 'Snooze' functionality

    I have made several ignore rules, but the errors keeps coming back in advisory. And i i try ro ignore again i just says that i cant, becurse the error is already on the ignore list.
    But why is it triggering a alert then !

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Suppress functionality has been added to log alerts (in Azure alerts); to allow notifications to be with-held while alert execution/logging continues to occur.
    Additionally, enhancements to Azure alerts brings the ability to close or acknowledge an alert, as well. For more info, see: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-unified-alerts#enhanced-unified-alerts-public-preview

  5. A working process to provide Feedback on recommendations and rules, with a quicker solution.

    I would like to see a much better, way to provide feedback on the recommendations and rules that advisor is providing.
    Sometimes the rules are totally incorrect and even though it has been reported, no change or feedback has been provided for months.

    I would like to see a similar system like this Feedback system, that could be used for providing and receiving feedback on issues in the final product.
    As it is now, I've almost stopped providing feedback as "no one cares or does anything about it anyway"... i just put those rules on ignore.

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    If you submit SPECIFIC examples/rules that don’t work/give false positives, we can fix the bugs, one by one. So, we are listening here.
    We have also recently update our publishing process so we can ship rule updates faster. Typically a content update goes out every couple of weeks or at least monthly. So if you report a specific false positive in a rule and we identify the root cause, are typically able within that time frame.

    ‘Recommendations’ is a new feature in Preview. Unlike the previous rules (which were manually authored and maintained by CSS), ‘Recommendations’ are automatically produced thru Machine Learning algorithms by matching your configuration against KB articles. Here the ‘likes’ will actually help train the system, hopefully faster than in the past. But consider this is still early technology, so the accuracy rate at this stage isn’t stellar, but it’s gradually improving.

  6. Alert inappropriately recommends KB2905412 on non-clustered server

    I see the note at the top that this feedback channel doesn't replace other support channels for advisor, but I don't know what the other channelse are. If you can direct me to a better place to provide this kind of feedback, I'd be glad to do so.

    I have a bunch of alerts in SCA that recommend I install KB2905412 to prevent a possible Stop error 0xd1 on a windows server based failover cluster with multiple processors.

    The alert description starts with "System center advisor detects that multiple processors exist in this windows server-based failover cluster."

    The trouble is,…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. This alert posted for my 2012 server today but was not applicable to my server upon install

    [Error] Missing Operating System Update KB2905412 may cause Stop error 0xD1 in a Windows Server-based computer that has multiple processors

    System Center Advisor detects that multiple processors exist in this Windows Server-based computer. This may cause computers to crash with stop error 0xD1. Apply hotfix 2905412 to stop computers going crash. See the following Knowledge Base article for more information.

    Click here to view Solution / Knowledge Base Article http://go.microsoft.com/fwlink/?linkid=392632
    --------------------------------------------------------------------------------
    Status: Active
    Server: fs-loc-01.ad.patton-tech.com
    Path: /Microsoft Windows Server 2012 Standard
    Application: Windows
    Created On: 10/2/2014 4:48:00 PM*
    Last Occurred: 10/2/2014 4:48:00 PM*
    Last Modified By: *
    Number of detections:…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The hotfix 2905412 can be installed on a clean Windows Server 2012 RTM. However, if there are other hotfixes that superseded this one, then the patch cannot be installed – as you say – but our alert still got generated because those checks used the “Get-Hotfix” cmdlet which will still report the patch as missing…

    The resolution was to compare the file versions the hotfixes updated rather than using “Get-Hotfix” cmdlet.

    We have identified and fixed several rules that experienced similar issues and the November context update has been deployed today.

  8. SQL updates

    The Configuration Assessment has alerted me to a number of SQL server issues, most of them are resolved by SQL CU updates. I would like a way of telling what SQL versions I have deployed and what is available indicating I need to update the servers. At the moment i cannot see an easy, clear method to show what I have and the fact it is out of date.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    There is a ‘System Update Assessment’ Intelligence Packs for the updates that are offered thru Microsoft Update / WSUS.
    Once the intelligence pack is enabled and data is collected, a query like the following gives you SQL server updates and the servers they need to be applied to:

    Type=RequiredUpdate Product=“Microsoft SQL Server 2012” | select UpdateTitle,KBID,UpdateClassification,UpdateSeverity,PublishDate,Server

    Check the other sample searches here to slice and dice that data differently http://blogs.msdn.com/b/dmuscett/archive/2014/10/19/advisor-searches-collection.aspx

    Some of the other patches suggested in ‘Alerts’ and ‘Recommendations’ are not mandatory critical or security updates, just recommended ones from our support teams and/or generated by scanning KB articles thru machine learning algorithms.

    We have also introduced a new ‘SQL Assessment’ Intelligence Pack specifically, which presents the information in a much more actionable AND prioritized way – check it out if you haven’t done so already! http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx

    We think this new format of ‘Configuration Assessment’…

  9. Provide reporting for Alerts view

    In our environment where my division handles systems and storage and other IT divisions handle applications like SharePoint and SQL Server, it would be extraordinarily helpful to be able to run a report of all the alerts that are generated so we can send them on to application administrators and/or management. It would also be beneficial to have a way to schedule the report and have it emailed.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Try the search queries here http://blogs.msdn.com/b/dmuscett/archive/2014/10/19/advisor-searches-collection.aspx in the ‘Configuration Assessment (Legacy)’ section. There are a few around Alerts and here’s a new one for what you just asked

    Type=ConfigurationAlert Workload:“SQL Server”

    You can save it as a ‘Saved Seach’ http://blogs.technet.com/b/momteam/archive/2014/07/25/system-center-advisor-limited-preview-saved-searches-cloud-attach-status-and-usage-and-more.aspx , use it in your dashboard http://blogs.technet.com/b/momteam/archive/2014/10/16/custom-dashboard-in-advisor.aspx
    and Export to Excel http://blogs.technet.com/b/momteam/archive/2014/08/29/check-it-out-export-advisor-search-results-to-excel.aspx

    Check these other ideas for Scheduling and emailing http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519198-run-saved-search-on-a-schedule-raise-alert-and-or

    We are also working on a new format of Assessment which doesn’t produce “Alerts” in their current shape, but a much more effective (we think) presentation – please check out the announcement of the first pack targeting SQL Server http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx

    There is one idea tracking ‘Active Directory’ one, next in line http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519282-please-provide-an-active-directory-intelligence-pa

    I am closing this idea with all the info and pointers above – but let us know if you disagree.

  10. Class showing Exchange 2010 instead of Exchange 2013

    In the Alerts section I see an alert with class 'Exchange 2010' while I'm using Exchange 2013 servers.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  11. Configuration Assessment Alerts - Severity for Hotfixes

    When I ran the Configuration Assessment intelligence pack I was presented with a sizable number of 'Error' alerts. Upon further investigation I found that all of these error level alerts were due to missing hotfixes. I was under the impression that hotfixes should only be applied if the issue(s) resolved by the hotfix were actually occurring. None of the systems reporting the error alerts were exhibiting symptoms related to the hotfixes referenced. Should these not be considered, at most, 'Warning' alerts instead? Thank you.

    Example Hotfixes Referenced: KB2814923, KB2905412, KB976674, 2379016

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  12. Wrong Message - Unsupported SQL Server version used by VMM

    Team,

    I've this message on Advisor but it's wrong because VMM is on SQL 2012 SP1 (supported):

    The Microsoft SQL Server instance that this VMM server is using is not running an up-to-date or supported version of SQL Server.
    Upgrade to a supported SQL Server version and service pack level. See the TechNet article for more information.

    S

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  13. Low Privelege Access for Monitoring Various Workloads

    I'm not sure this is really an "issue" but didn't find a category that seemed to fit.

    Looking at this article

    http://onlinehelp.microsoft.com/en-us/advisor/jj737671.aspx

    It talks about adding a runas account to the RTCUniversalUserAdmins group which has the ability to manage all lync users in the Forest. In some organizations it may not be feasible to add an account as an "admin" like this. Is there no way to perform your Lync workload monitoring in a low-priv environment?

    Also, the article does not talk about distributing the runas account out to the servers in any fashion. I imagine this may also be…

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    For the new ‘vertical’ workload assessment Intelligence Packs (see mention here http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519186-sql-server-intelligence-pack and here http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519201-configuration-assessment-alerts-and-recommendation ) we will have RunAs accounts.

    We just shipped the first one of these http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx
    The RunAs account is documented here http://technet.microsoft.com/en-us/library/dn818161.aspx

    The minimum privileges will still depend on the workload itself, anyhow (i.e. what privilege level you need to actually read the information to be assessed). Each of these new assessments will also produce records in search (there is a saved search for that already!) that will tell you whether any pre-requisite or permission was an issue when running the assessment.

  14. Alert: Advisor connector failed to send analysis data to management server

    Alert: Advisor connector failed to send analysis data to management server
    Source: HYPERV-002.domain.com
    Path: HYPERV-002.domain.com
    Last modified by: System
    Last modified time: 7/15/2014 3:50:00 AM Alert description: Event Description: Failed to upload CAB to management server.
    Reason: System.UnauthorizedAccessException: Access to the path 'C:\Program Files\Microsoft Monitoring Agent\Agent\Advisor\AgentData\AdvisorMonitorV2\Mailbox\Outbox\20140715-024410552.cab' is denied.
    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
    at System.IO.File.InternalDelete(String path, Boolean checkHost)
    at Microsoft.SystemCenter.Advisor.Internal.ProbeAction.CabProbeAction.UploadOneCab()

    Alert view link: "?DisplayMode=Pivot&AlertID=%7b3694165c-0d3f-48bd-8584-20aeb416b816%7d"
    Notification subscription ID generating this message: {A69EF3CF-CAFC-F65C-E9E7-32CE2B159D1C}

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Out developers told me that a similar error was occasionally happening in cluster environment due to a race condition. This was fixed in 2012R2 UR1 – are those systems patched? What version are you running? Is this a cluster?

    Otherwise, I would investigate if the RunAs accounts under which the various monitoringhost.exe and healthservice in OpsMgr run actually have permissions to that folder, since the error is an access denied while trying to delete a CAB file.

    In any case, if this is not happening all the times and for many different CAB files, tho, I would consider this to be a transient issue – those CABs with new discovered data are sent periodically and more recent discovert data will eventually be sent again for the same machines… and they might actually having been already sent anyway, since the error is about deleting the temporary file AFTER download, anyway.

    Please…

  15. Assessment Scan Schedule Time

    I prefer choose when execute the Assessment scan because yesterday I installed new patches on my servers but in Advisor the state is not already updated.

    On SCOM could be good have a global settings and also machine setting (like heartbeat).

    S

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    For the new ‘vertical’ workload assessment Intelligence Packs (see idea here http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519186-sql-server-intelligence-pack and here http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519201-configuration-assessment-alerts-and-recommendation ) and the SQL Assessment that was just released http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx we have overridable scan frequency that you can control in OpsMgr with an override, now.

    Anyhow, the default setting is only ONCE A WEEK – i.e. most people just need a a WEEKLY or MONTHLY scan: every week you review how much improvement you got since the previous week, and what is next in the to-do list, in order or importance (=how much actual improvement do I get if I do this?) so you can justify the effort required to fix things to upper management, in the terms they speak (‘if we do this we get a 25% improvement in our security posture’; if we change this setting it gets us a .25% extra availability, stuff like that).

    As you can see from these examples,…

  16. I wish the site would allow me to copy text from the silverlight screen.

    I wish the site would allow me to copy text from the silverlight screen.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  17. KB2817216 for Windows Server 2012 is shown for Windows Server 2012 R2

    Recommendation for KB2817216 seems to trigger false positive. See attached screenshot.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  18. False Positive : Hotfix 2889748 prevents Windows Management Instrument usage from memory leaks on your Windows Server

    Getting this Alert flagging up on machines running Microsoft Windows Server 2012 Standard, but the linked KB article only applies to Windows 7 SP1, Windows Server 2008 R2 SP1, or Windows Server 2008 SP2. Guessing that it's incorrectly picking them up for Windows Server 2012 Standard (and probably Datacenter too).

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  19. Alert Rule SQL Build , SQL 2012 CU4 , incorectly alerting

    The Alert rule says that SQL 2012 CU4 is not installed but server is running SQL 2012 SP1 , so either the alert rule is not detecting SP1 or the description needs to be updated to SQL 2012 SP1 CU4

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The content owner has identified the bug and the fix is in the November content update that has been deployed today.

    BTW, those ‘configuration assessment’ Alerts screens are the old Advisor – have you looked at the SQL Assessment IP – http://blogs.technet.com/b/momteam/archive/2014/10/23/new-sql-server-assessment-intelligence-pack-in-advisor.aspx ?
    CSS is hard at work with us to reconcile their knowledge so that we can surface that type of proactive content in the new style of presentation.

  20. Exchange Alert rule shows Exchange 2010 not supported on Windows 2012

    Side Note : do you want the Configuration Assessment errors or will they "just" be fixed before GA

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base