Category Archives: OMS

Log Analytics OMS Operations Management Suite

Exporting OMS Log Analytics Alerts and Importing into Another Workspace

Published by:

One of the problems you may face when using Microsoft’s Operations Management Suite Log Analytics (I’m glad there is no acronym for all that) is to replicate some configurations you may require to another workspace. If you provide services to multiple customers, you will know exactly how challenging it can be. If you have a Dev or QA environment, you may also require moving your configuration.

Currently, the OMS Log Analytics console won’t allow you to move your alerts and search queries. For the saved searches, I’ve written a couple of scripts for that purpose (see here). More recently, Microsoft made the Alert REST API documentation available here and with that, the alerts can also be exported and imported.

For that, I’ve written two scripts:

Export-Alerts.ps1 – it will cycle through your tenants and identify all saved searches that have an action and a schedule (alert) assigned to it and will export them to a file.

Import-Alerts.ps1 – it will take the previously generated file and import those alerts into any workspace you select.

Let’s see how it works. First, exporting:

When you run the script, you must enter your credentials:

image

Then pick your tenant:

image

and your subscription:

image

Once done, it will generate a file (alerts.xml by default):

image

Now to import it, steps are similar. Run the file import-alerts.ps1 file and pick your tenant:

image

Then the subscription:

image

And the target workspace:

image

And lastly, the alerts.xml file:

image

Once done, you should see the alerts in your target workspace, as well as the saved searches!

image

Hope this helps!

Automation Azure OMS Powershell

Using MSOMS Alerts with Remediation Runbooks

Published by:

 

Microsoft recently put Operations Management Suite Alerts feature on public preview. Official announcement is here.

One of the greatest features along with alerting itself is the possibility of triggering Azure Automation runbooks to remediate a possible issue found by the alerts.

First of all, make sure you enable the feature since it is a preview:

image

Let’s create a simple alert that will for sure be triggered, in order to have some data. Suppose I want to be alerted when computers talk to more than 5 remote IPs. Ok, I know, it doesn’t make sense, but I want a query that will sure bring data and not a lot.

For example:

Type=WireData Direction=Outbound | measure count() by RemoteIP

Got some interesting numbers:

image

Now, let’s save this search, for future use:

image

After that, we can create an image:

image

Notice you can pick the current search or a previously created search.

Next, you will need to pick a threshold and the window of time for the query. It can’t go further back more than 60 minutes.

image

Notice also that OMS gives you a preview of the results. I love that!

Select the Subject and Recipient of the notification, should you need one, as below:

image

The next is step is to setup some remediation:

image

If you look at the New Azure Portal, you will notice a webhook:

image

If you want your remediation to run on premises, by a Hybrid Worked, you will need to set it up here:

image

And there you have it. Once the alert is triggered, you will see the log:

image

Notice the Input:

image

And there is your data, in a JSON format:

image

image

Now you can grab the data using standard Runbook procedure, as described here.

 

Hope this helps!

Azure OMS Operations Management Suite Uncategorized

Exporting Saved Searches from your OMS workspaces

Published by:

I have been studying OMS for a while now and although there is gradually more and more content about it, here’s another piece of code that can help you with your daily OMS management.

If you don’t know what OMS is, go here.

If you do, you may know that you can save searches that you find interesting and even add them to your workspace for future or daily use.

image or image, for example.

The problem comes when you need to move your searches to another environment. You don’t want to create hundreds of queries manually in the portal.

Enters PowerShell. You can find the documentation on the initial setup here.  With a great start from Richard Rundle from Microsoft, I have completed the script to export the Saved searches.

Once you have Chocolatey and armclient configured, you can go ahead and use the script below.

Here’s a little walkthrough.

1. As soon as you run it,

image

you will be prompted by the login screen:

image

If you are like myself, using a user that has access to multiple tenants, you’ll be prompted for the tenant:

image

You will be then prompted for the subscription:

image

The script will show you a list of queries you may want to extract and then extract the ones that match a certain criteria specified in the script:

image

The criteria is the name of the Category:

image

And as you can see, the queries following the lists match that category only:

image

The script will also create a file named after the search category

image

image

Keep that file handy, since we are going to use it in the next article, to import the searches into another environment.

You can find the script here.

 

Keep on rocking in the cloud world!