Migrate to Azure Monitor Agent from Log Analytics agent

Azure Monitor Agent (AMA) replaces the Log Analytics agent (also known as Microsoft Monitor Agent (MMA) and OMS) for Windows and Linux machines, in Azure and non-Azure environments, including on-premises and third-party clouds. The agent introduces a simplified, flexible method of configuring data collection using Data Collection Rules (DCRs). This article provides guidance on how to implement a successful migration from the Log Analytics agent to Azure Monitor Agent.

If you're currently using the Log Analytics agent with Azure Monitor or other supported features and services, start planning your migration to Azure Monitor Agent by using the information in this article. If you are using the Log Analytics Agent for SCOM, you need to migrate to the SCOM Agent.

The Log Analytics agent will be retired on August 31, 2024. You can expect the following when you use the MMA or OMS agent after this date.

• Data upload: You can still upload data. At some point when major customers have finished migrating and data volumes significantly drop, upload will be suspended. You can expect this to take at least 6 to 9 months. You will not receive a breaking change notification of the suspension.
• Install or reinstall: You can still install and reinstall the legacy agents. You will not be able to get support for installing or reinstalling issues.
• Customer Support: You can expect support for MMA/OMS for security issues.

Benefits

In addition to consolidating and improving on the legacy Log Analytics agents, Azure Monitor Agent provides various immediate benefits, including cost savings, a simplified management experience, and enhanced security and performance.

Migration guidance

Before you begin migrating from the Log Analytics agent to Azure Monitor Agent, review the checklist.

Before you begin

Migration services and features

1. Use the DCR generator to convert your legacy agent configuration into data collection rules automatically.¹

   Review the generated rules before you create them and take advantage of advanced options, such as filtering, granular targeting (per machine), and other optimizations. There are special steps needed to migrate MMA custom logs to AMA custom logs

2. Test the new agent and data collection rules on a few nonproduction machines:

   1. Deploy the generated data collection rules and associate them with a few machines, as described in Installing and using DCR Config Generator.

      To avoid double ingestion, you can disable data collection from legacy agents during the testing phase without uninstalling the agents yet, by removing the workspace configurations for legacy agents.

   2. Ensure there are no gaps, compare the data ingested by legacy agent data to Azure Monitor Agent. You can do the comparison on any table by using the join operator to add the Category column from the Heartbeat table, which indicates Azure Monitor Agent for data collected by the Azure Monitor Agent.

      For example, this query adds the Category column from the Heartbeat table to data retrieved from the Event table:

      Heartbeat
      | distinct Computer, SourceComputerId, Category
      | join kind=inner (
          Event
      | extend d=parse_xml(EventData)
          | extend sourceHealthServiceId = tostring(d.DataItem.["@sourceHealthServiceId"])
          | project-reorder TimeGenerated, Computer, EventID, sourceHealthServiceId, ParameterXml, EventData
          ) on $left.SourceComputerId==$right.sourceHealthServiceId
      | project TimeGenerated, Computer, Category, EventID, sourceHealthServiceId, ParameterXml, EventData
      

3. Use built-in policies to deploy extensions and DCR associations at scale. Using policy also ensures automatic deployment of extensions and DCR associations for new machines.³

   Use the AMA Migration Helper to monitor the at-scale migration across your machines.

4. Validate that Azure Monitor Agent is collecting data as expected and all downstream dependencies, such as dashboards, alerts, and workbooks, function properly:

   1. Look at the Overview and Usage tabs of Log Analytics Workspace Insights for spikes or dips in ingestion rates following the migration. Check both the overall workspace ingestion and the table-level ingestion rates.
   2. Check your workbooks, dashboards, and alerts for variances from typical behavior following the migration.

5. Clean up: After you confirm that Azure Monitor Agent is collecting data properly, disable or uninstall the legacy Log Analytics agents.

   • Once Azure Monitor Agent is installed for all your requirements, uninstall the Log Analytics agent from monitored resources. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent. Continue using the legacy Log Analytics for features and solutions that Azure Monitor Agent doesn't support.

     Use the MMA removal tool to discovery and remove the Log Analytics agent extension from all machines within your tenant.

   • Don't uninstall the legacy agent if you need to use it to upload data to System Center Operations Manager.

¹ The DCR generator only converts the configurations for Windows event logs, Linux syslog and performance counters. Support for more features and solutions will be available soon.
² You might need to deploy extensions required for specific solutions in addition to the Azure Monitor Agent extension.

Migrate additional services and features

Azure Monitor Agent is GA for data collection. Most services that used Log Analytics agent for data collection have migrated to Azure Monitor Agent.

The following features and services now have an Azure Monitor Agent version (some are still in Public Preview). This means you can already choose to use Azure Monitor Agent to collect data when you enable the feature or service.

When you migrate the following services, which currently use Log Analytics agent, to their respective replacements (v2), you no longer need either of the monitoring agents:

Known parity gaps for solutions that may impact your migration

• Sentinel: Windows firewall logs are not yet GA

• SQL Assessment Solution: This is now part of SQL best practice assessment. The deployment policies require one Log Analytics Workspace per subscription, which is not the best practice recommended by the AMA team.

• Microsoft Defender for cloud: Some features for the new agentless solution are in development. Your migration maybe impacted if you use File Integraty Monitoring (FIM), Endpoint protection discovery recommendations, OS Misconfigurations (Azure Security Benchmark (ASB) recommendations) and Adaptive Application controls.

• Container Insights: The Windows version is in public preview.

Frequently asked questions

This section provides answers to common questions.

Can Azure Monitor Agent and the Log Analytics agent coexist side by side?

Yes. If you're migrating to Azure Monitor Agent, you might consider installing Azure Monitor Agent together with a legacy agent for a transition period, but you must be mindful of certain considerations. Read more about agent coexistence considerations in the Azure Monitor Agent migration guidance.

Next steps

For more information, see:

• Azure Monitor Agent overview
• Azure Monitor Agent migration for Microsoft Sentinel
• Frequently asked questions for Azure Monitor Agent