- 21 minutes to read
This article describes how to configure communication with Azure Automation and Azure Monitor using the Log Analytics Gateway when computers that are directly connected to Operations Manager or that are monitored by Operations Manager do not have internet access.
The Log Analytics Gateway is an HTTP forward proxy that supports HTTP tunneling with the HTTP CONNECT command. This gateway sends data for machines that can't connect directly to the internet to Azure Automation and a Log Analytics workspace in Azure Monitor. The gateway is for enrollment agent connectivity only and does not support Azure Automation features such as Runbook, DSC, and others.
The Log Analytics Gateway supports:
- Report up to the same Log Analytics workspaces configured on each agent behind and configured with Azure Automation Hybrid Runbook Workers.
- Windows computers running theAzure Monitoring Agentor the legacy Microsoft monitoring agent is connected directly to a Log Analytics workspace in Azure Monitor. The same agent must be running on the origin server and the gateway server. You cannot stream events from a server running the Azure Monitor agent through a server running the Gateway with the Log Analytics agent.
- Linux computers on which theAzure Monitoring Agento The legacy Log Analytics agent for Linux connects directly to a Log Analytics workspace in Azure Monitor.
- System Center Operations Manager 2012 SP1 with UR7, Operations Manager 2012 R2 with UR3, or a management group in Operations Manager 2016 or later that is integrated with Log Analytics.
Some computer security policies do not allow network computers to connect to the Internet. For example, these disconnected computers can be point-of-sale (POS) devices or servers that support IT services. To connect these devices to Azure Automation or a Log Analytics workspace so you can manage and monitor them, configure them to communicate directly with the Log Analytics gateway. The Log Analytics Gateway can receive configuration information and forward data on your behalf. If the machines running the Log Analytics agent are configured to connect directly to a Log Analytics workspace, the machines communicate with the Log Analytics gateway instead.
The Log Analytics Gateway passes data from agents directly to the service. It does not analyze any of the data in transit, and the gateway does not store any data if it loses connection to the service. If the gateway cannot communicate with the service, the agent continues to run and queues the collected data on the hard drive of the monitored computer. When the connection is restored, the agent sends the collected cached data to Azure Monitor.
When an Operations Manager management group is integrated with Log Analytics, depending on the solution enabled, management servers can be configured to connect to the Log Analytics gateway to receive configuration information and send aggregated data. Operations Manager agents send some data to the management server. For example, agents can send Operations Manager alerts, configuration assessment data, instance storage space data, and capacity data. Other high-volume data, e.g. Data such as Internet Information Services (IIS) logs, performance data, and security events are sent directly to the Log Analytics gateway.
When one or more Operations Manager gateway servers are deployed to monitor untrusted systems in a perimeter network or isolated network, those servers cannot communicate with a Log Analytics gateway. Operations Manager gateway servers can only report to one management server. When an Operations Manager management group is configured to communicate with the Log Analytics gateway, proxy configuration information is automatically propagated to all agent-managed machines that are configured to collect log data for Azure Monitor, even if the configuration is empty.
To provide high availability for directly connected groups or operations management groups that communicate with a Log Analytics workspace through the gateway, use Network Load Balancing (NLB) to redirect and distribute traffic across multiple gateway servers. In this way, if a gateway server fails, traffic is redirected to another available node.
The computer running the Log Analytics gateway requires the agent to identify the service endpoints that the gateway needs to communicate with. The agent must also instruct the gateway to report to the same workspaces that the agents or the Operations Manager management group behind the gateway are configured with. This configuration allows the gateway and agent to communicate with their assigned workspace.
A gateway can be set up with the Azure Monitor agent and multihomed for up to ten workspacesData Collection Rules. If you're using the legacy Microsoft Monitor agent, you can only multihome up to four workspaces because that's the total number of workspaces that the legacy Windows agent supports.
Each agent must have network connectivity to the gateway in order for agents to automatically transfer data to and from the gateway. Avoid installing the gateway on a domain controller. Linux computers behind a gateway server cannot use itContainer Script Installationto install the Log Analytics agent for Linux. The agent needs to be downloaded manually, copied to the computer and installed manually as the gateway only supports communication with the Azure services mentioned above.
The following diagram shows the data flowing from the direct agents through the gateway to Azure Automation and Log Analytics. The agent's proxy settings must match the port that the Log Analytics gateway is configured with.
The following diagram shows data flow from an Operations Manager management group to Log Analytics.
configure your system
Computers designated to run the Log Analytics gateway must have the following settings:
- Windows 10, Windows 8.1 oder Windows 7
- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 oder Windows Server 2008
- Microsoft .NET Framework 4.5
- At least a 4-core processor and 8 GB of RAM
- andAzure Monitor-Agentinstalled withData Collection Rule(s)configured, or theLog Analytics Agent for Windowsconfigured to report to the same workspace as agents communicating through the gateway
The Log Analytics Gateway is available in these languages:
- Simplified Chinese)
- Traditional Chinese)
- Portuguese (Brazil)
- Portuguese (Portugal)
- Spanish (International)
Supported encryption protocols
The Log Analytics Gateway only supports Transport Layer Security (TLS) 1.0, 1.1 and 1.2. Secure Sockets Layer (SSL) is not supported. To ensure data security when transmitted to Log Analytics, configure the gateway to use at least TLS 1.2. Older versions of TLS or SSL are vulnerable. Although they currently allow backwards compatibility, please avoid using them.
For more information, see VerifySend data securely with TLS 1.2.
The gateway is a forward proxy that does not store any data. After the agent connects to Azure Monitor, it follows the same encryption flow with or without a gateway. The data is encrypted between the client and the endpoint. Because the gateway is just a tunnel, it can't verify what's being sent.
Supported number of agent connections
The table below shows approximately how many agents can communicate with a gateway server. Support is based on agents uploading approximately 200KB of data every 6 seconds. For each agent tested, the data volume is approximately 2.7 GB per day.
|Puerta||Approved Agents (Approximately)|
|CPU: Processor Intel Xeon E5-2660 v3 @ 2.6 GHz 2 cores|
Network bandwidth: 1 Gbps
|CPU: Processor Intel Xeon E5-2660 v3 @ 2.6 GHz 4 cores|
Network bandwidth: 1 Gbps
Download Log Analytics Gateway
Get the latest version of the Log Analytics Gateway configuration file from the Microsoft Download Center (Download-Link) or the Azure portal.
Follow these steps to get the Log Analytics gateway from the Azure portal:
Browse the list of services and then selectlog analysis.
Choose a workspace.
In your workspace panel, in the panel on the left, underGeneral, SelectQuick Start.
UnderSelect a data source to connect to the workspace, SelectComputers.
insideDirect agentpanel, selectDownload Log Analytics Gateway.
- In your workspace panel, in the panel on the left, undersettings, Selectadvanced settings.
- Go toconnected sources>Windows-Serverand selectDownload Log Analytics Gateway.
Install the Log Analytics Gateway using the setup wizard
Follow these steps to install a gateway using the setup wizard.
Double-click in the destination folderLog Analytics Gateway.msi.
About himWarm welcomepage, selectNext.
About himLicense Agreementpage, selectI accept the terms of the license agreementto accept the Microsoft software license terms, and then selectNext.
About himPort and proxy addressPage:
a. Enter the TCP port number to use for the gateway. Setup uses this port number to configure an inbound rule in Windows Firewall. The default value is 8080. The valid port number range is 1 to 65535. If the entry is not within this range, an error message is displayed.
b. If the server on which the gateway is installed needs to communicate through a proxy, enter the address of the proxy that the gateway needs to connect to. For example, enter
http://nombremiorg.corp.contoso.com:80. If you leave this field blank, the gateway will try to connect directly to the internet. If your proxy server requires authentication, enter a username and password.
If you haven't turned on Microsoft Update, the Microsoft Update page will appear and you can turn it on. Make a selection and then selectNext. If not, continue to the next step.
About himdestination folderLeave the default folder C:\Program Files\OMS Gateway or enter the location where you want to install the gateway. then selectNext.
About himReady to installpage, selectTo install. When User Account Control asks for permission to install, chooseAnd.
Select after the installation is completeThe end. To check if the service is running, open the services.msc plugin and checkWHO-Gatewayappears in the list of services and that is its statusElse.
Install the Log Analytics Gateway from the command line
The gateway download file is a Windows Installer package that supports unattended installation from the command line or other automated method. If you are unfamiliar with the default Windows Installer command-line options, seecommand line options.
The following table highlights the parameters supported by the configuration.
|PORT NUMBER||TCP port number on which the gateway should listen|
|DIRINSTALLATION||Full path specifying the installation directory of the gateway software files|
|USERNAME||User ID to authenticate with the proxy server|
|PASSWORD||User ID password to authenticate with proxy|
|License accepted||Specify a value of1to confirm that you accept the license agreement|
|HASAUTH||Specify a value of1if the USERNAME/PASSWORD parameters are specified|
|HASPROXY||Specify a value of1by specifying the IP address forLAWYERParameter|
To silently install the gateway and configure it with a specific proxy address and port number, type:
Msiexec.exe /I "oms gateway.msi" /qn PORTNUMMER=8080 PROXY="10.80.2.200" HASPROXY=1 License accepted=1
Using the /qn command line option hides the settings, /qb shows the settings during the unattended installation.
If you need to provide credentials to authenticate with the proxy, enter:
Msiexec.exe /I "oms gateway.msi" /qn PORTNUMBER=8080 PROXY="10.80.2.200" HASPROXY=1 HASAUTH=1 USERNAME="<username>" PASSWORD="<password>" LicenseAccepted=1
After installation, you can confirm that the configurations (except username and password) are accepted by using the following PowerShell cmdlets:
- Get-OMSGatewayConfig– Returns the TCP port on which the gateway is configured to listen.
- Get-OMSGatewayRelayProxy- Returns the IP address of the proxy server you configured it to communicate with.
Configure Network Load Balancing
You can configure the gateway for high availability using Microsoft's Network Load Balancing (NLB).Network Load Balancing (NLB),Azure Load Balanceror hardware-based load balancers. The load balancer manages traffic by redirecting requested connections from Log Analytics agents or Operations Manager management servers through its nodes. If a gateway server fails, traffic is redirected to other nodes.
Microsoft Network Load Balancing
For information about designing and implementing a Windows Server 2016 Network Load Balancing cluster, seeNetwork Load Balancing. The following steps describe how to set up a Microsoft Network Load Balancing cluster.
Log in to the Windows server that is a member of the NLB cluster with an administrator account.
Open Network Load Balancing Manager in Server Manager, clickTooland then clickNetwork Load Balancing Manager.
To connect to a Log Analytics Gateway server with the Microsoft Monitoring Agent installed, right-click the cluster IP address and then clickAdd host to cluster.
Enter the IP address of the gateway server you want to connect to.
Azure Load Balancer
For information about designing and implementing an Azure Load Balancer, seeWas ist Azure Load Balancer?. To implement a simple load balancer, follow the steps in this oneQuick Startexcept for the steps described in the sectionBuild backend servers.
Configure Azure Load Balancer usingBase-SKU, requires Azure VMs to belong to an availability set. For more information about availability groups, seeManage the availability of Windows virtual machines in Azure. For information about adding existing virtual machines to an availability set, seeSet the availability set for Azure Resource Manager virtual machines.
After creating the load balancer, a backend pool must be created that distributes traffic across one or more gateway servers. Follow the steps outlined in the Quickstart Articles sectionCreate resources for the load balancer.
When configuring the integrity probe, it must be configured to use the gateway server's TCP port. The health probe dynamically adds or removes gateway servers from the load balancer rotation based on their response to health checks.
Configure the Azure Monitor agent to communicate through the Log Analytics gateway
To configure the Azure Monitor agent (installed on the gateway server) to use the gateway to upload data for Windows or Linux:
- Follow the directions forConfigure proxy settings on the agentand provide the IP address and port number for the gateway server. If you have multiple gateway servers deployed behind a load balancer, the agent's proxy setting is the load balancer's virtual IP address.
- add theConfiguration endpoint URLto retrieve data collection rules on the allow list for the gateway
Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com
Add-OMSGatewayAllowedHost -Host <Gateway-Server-Regionsname>.handler.control.monitor.azure.com
(If you're using private links in the agent, you'll need to add those tooDCE endpoints)
- add theData ingestion endpoint URLon the allow list for the gateway
Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com
- start anewWHO-GatewayService to apply changes
Stop-Service -Name <Gateway-Name>
Configure the Log Analytics agent and the Operations Manager management group
This section shows you how to configure directly connected legacy Log Analytics agents, an Operations Manager management group, or Azure Automation hybrid runbook workers with the Log Analytics gateway to communicate with Azure Automation or Log Analytics.
Configure a standalone Log Analytics agent
When configuring the legacy Log Analytics agent, replace the value of proxy server with the IP address and port number of the Log Analytics gateway server. If you have deployed multiple gateway servers behind a load balancer, the Log Analytics agent's proxy setting is the load balancer's virtual IP address.
For information about installing the Log Analytics agent on the gateway and on Windows computers that connect directly to Log Analytics, seeConnect Windows machines to the Log Analytics service in Azure. For information on connecting Linux computers, seeConnect Linux devices to Azure Monitor.
After you install the agent on the gateway server, configure it to report to the workspace or workspace agents that communicate with the gateway. If the Log Analytics Windows agent is not installed on the gateway, Event 300 is written to the OMS Gateway event log, indicating that the agent needs to be installed. If the agent is installed but not configured to report to the same workspace as the agents communicating through it, Event 105 will be written to the same log, indicating that the agent should be configured at the gateway to communication with the gateway reports to the same workspace as the agents.
After completing the configuration, restart theWHO-Gatewayservice to apply the changes. Otherwise, the gateway rejects agents trying to communicate with Log Analytics and reports event 105 in the OMS gateway event log. This also happens when you add or remove an agent configuration workspace on the gateway server.
For the Automation Hybrid Runbook Worker, seeAutomate resources in your data center or in the cloud with Hybrid Runbook Worker.
Configure Operations Manager where all agents use the same proxy server
Operations Manager proxy settings are automatically applied to all agents reporting to Operations Manager, even if the setting is empty.
To use OMS Gateway to support Operations Manager, you need the following:
- Microsoft Monitoring Agent (version 8.0.10900.0 or later) installed on the OMS gateway server and configured with the same Log Analytics workspaces you want your management group to report to.
- internet connection. Alternatively, the OMS gateway needs to be connected to a proxy server that is connected to the internet.
If you don't specify a value for the gateway, empty values are sent to all agents.
When your Operations Manager management group logs in to a Log Analytics workspace for the first time, the option to specify proxy settings for the management group does not appear in the Operations console. This option is only available if the management group has registered with the service.
To configure the integration, update the system proxy settings using Netsh on the system where you are running the Operations console and on all management servers in the management group. Follow these steps:
Open an elevated command prompt:
a. SelectBeginningand entercmd.
b. The right mouse buttonSymbol des Systemsand selectExecute as administrator.
Enter the following command:
netsh winhttp establece Proxy <proxy>:<puerto>
After completing the integration with Log Analytics, remove the change by running it
netsh winhttp Reset-Proxy. Then in the operations console, use theConfigure proxy serverOption to specify the Log Analytics gateway server.
In the Operations Manager console atOperations-Management-Paket, Selectconnectionand then selectConfigure proxy server.
SelectUse a proxy server to access Operations Management Suiteand then enter the IP address of the Log Analytics gateway server or the virtual IP address of the load balancer. Be sure to start with the prefix
SelectThe end. Your Operations Manager management group is now configured to communicate with the Log Analytics service through the gateway server.
Configure Operations Manager where specific agents use a proxy server
For large or complex environments, you may want only specific servers (or groups) to use the Log Analytics Gateway server. For these servers, you cannot update the Operations Manager agent directly because this value is overridden by the global management group value. Instead, override the rule used to transfer these values.
Use this configuration procedure if you want to allow multiple Log Analytics Gateway servers in your environment. For example, you can require specific Log Analytics gateway servers to be specified at the regional level.
To configure specific servers or groups to use the Log Analytics Gateway server:
Open the Operations Manager console and select itauthorshipworking space(Video) Collect data from a Windows computer in a hybrid environment with Azure Monitor
Select in the authoring workspaceStandards.
From the Operations Manager toolbar, select theTo reachButton. If this button isn't available, make sure you've selected an item and not a folder in theAt sightCrystal. HeScope Management Package objectsThe dialog box displays a list of common target classes, groups, or objects.
insideSearchfield, enterhealthcareand select it from the list. SelectOK.
Select on the Operations Manager toolbarcancellationsand then point toOverride Rule\For a class-specific object: Health Serviceand select an object from the list. Or create a custom group that contains the Health Service object of the servers to which you want to apply this override. Then apply the override to your custom group.
insideoverride propertiesAdd a check mark in the dialog boxCancelcolumn next toWeb-Proxy-AddressParameter. insideoverwrite valueIn the field, enter the URL of the Log Analytics gateway server. Be sure to start with the prefix
You don't have to activate the rule. It is already managed automatically with an override in the Microsoft System Center Advisor Safe Reference Override Management Pack targeting the Microsoft System Center Advisor monitoring pool.
Select a management packageSelect the target management packor create a new unsealed management pack by selectingNeu.
When you're done, selectOK.
For Automation Hybrid, configure runbook workers
If you have Automation Hybrid Runbook workers in your environment, follow these steps to configure the gateway to support the workers.
Refer toConfigure your networkin the automation documentation to find the URL for each region.
For example, if your computer is automatically registered as a Hybrid Runbook Worker when the update management solution is enabled for one or more virtual machines, do the following:
- Add the job runtime data service URLs to the list of allowed hosts in the Log Analytics gateway. For example:
- Restart the Log Analytics Gateway service using the following PowerShell cmdlet:
Restart OMSGatewayService service
If your computer is connected to Azure Automation using the Hybrid Runbook Worker registration cmdlet, do the following:
- Add the agent service log URL to the list of allowed hosts in the Log Analytics gateway. For example:
- Add the job runtime data service URLs to the list of allowed hosts in the Log Analytics gateway. For example:
- Restart the Log Analytics Gateway service.
Restart OMSGatewayService service
Useful PowerShell cmdlets
You can use cmdlets to perform the tasks to update the Log Analytics gateway configuration options. Before using cmdlets, ensure the following:
- Install the Log Analytics gateway (Microsoft Windows Installer).
- Open a PowerShell console window.
- Import the module by typing this command:
- If no error occurred in the previous step, the module was successfully imported and the cmdlets can be used. Get into
- After using the cmdlets to make changes, restart the OMS Gateway service.
An error in step 3 means that the module was not imported. The error can occur when PowerShell cannot find the module. You can find the module in the OMS Gateway installation path:C:\Programmarchiv\Microsoft OMS Gateway\PowerShell\OmsGateway.
|key||Gets the configuration of the service.|
|change service settings|
|Gets the address of the relay proxy (upstream).|
Password (secure character string)
|Sets the address (and credentials) of the relay proxy (upstream).||1. Set up a relay proxy and credentials:|
2. Configure a relay proxy that does not require authentication:
3. Delete the relay proxy settings:
|Gets the current allowed host (only the locally configured allowed host, not automatically downloaded allowed hosts)|
|Host (required)||Add the host to the allow list|
|Host (required)||Remove the host from the allow list|
|Subject (required)||Add the subject of the client certificate to the allow list|
|Subject (required)||Removes the client certificate subject from the allow list|
|Retrieves the current allowed subjects of the client certificate (locally configured allowed subjects only, not auto-downloaded allowed subjects)|
To collect events logged by the gateway, the Log Analytics agent must be installed.
Log Analytics Gateway Event IDs and Descriptions
The following table shows the event IDs and descriptions of the Log Analytics gateway log events.
|400||Any application error that does not have a specific ID.|
|401||Incorrect configuration. Example: listenPort = "text" instead of an integer.|
|402||Exception parsing TLS handshake messages.|
|403||network error. For example, you cannot connect to the target server.|
|101||The service has started.|
|102||The service has been stopped.|
|103||An HTTP CONNECT command was received from the client.|
|104||It's not an HTTP CONNECT command.|
|105||The destination server is not on the allow list or the destination port is not secure (443).|
Ensure that the MMA agent on your OMS Gateway server and the agents communicating with the OMS Gateway are connected to the same Log Analytics workspace.
|105||ERROR TcpConnection - Invalid client certificate: CN=Gateway.|
Make sure you are using OMS Gateway version 1.0.395.0 or higher. Also ensure that the MMA agent on your OMS Gateway server and the agents communicating with the OMS Gateway are connected to the same Log Analytics workspace.
|106||TLS/SSL protocol version is not supported.|
The Log Analytics Gateway only supports TLS 1.0, TLS 1.1 and 1.2. SSL is not supported.
|107||The TLS session has been verified.|
Performance counter to collect
The following table shows the performance counters available for Log Analytics Gateway. Use Performance Monitor to add the performance counters.
|Log Analytics-Gateway/aktive Clientverbindung||Number of active client network connections (TCP)|
|Log Analytics Gateway/Error Count||number of errors|
|Log Analytics-Gateway/verbundener Client||Number of connected clients|
|Log Analytics-Bounce/Gateway-Anzahl||Number of rejections due to a TLS validation error|
After you sign in to the Azure portal, you can get help about the Log Analytics gateway or other Azure services or features. For help, select the question mark icon in the top right corner of the portal and selectNew support request. Then fill out the new support request form.
Add data sourcesto collect data from connected sources and store the data in your Log Analytics workspace.
Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.How do I connect to Azure Log Analytics? ›
- In the Azure portal, enter Log Analytics in the search box. ...
- Select Add.
- Select a Subscription from the dropdown.
- Use an existing Resource Group or create a new one.
- Provide a name for the new Log Analytics workspace, such as DefaultLAWorkspace.
- Virtual machines.
- Guest operating systems.
- Security events in combination with Azure Sentinel.
- Networking events and health in combination with Network Watcher.
Query pre-parsing limits.
|Query hours per Azure tenant||600,000|
Create diagnostic settings to send resource logs from Azure resources to the workspace. Enable VM insights to collect data from virtual machines. Configure data sources on the workspace to collect more events and performance data.Which of the following events will be logged into the activity log of Azure Monitor? ›
The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI.How do I connect my Azure VM to Log Analytics workspace? ›
- From the Monitor menu in the Azure portal, select Virtual Machines > Overview > Not Monitored.
- Select Enable next to any machine that you want to enable. ...
- On the Insights Onboarding page, select Enable.
- On the Monitoring configuration page, select Log Analytics agent.
- In the Azure portal, click All services. In the list of resources, type Monitor. As you begin typing, the list filters based on your input. Select Monitor.
- On the Monitor navigation menu, select Log Analytics and then select a workspace.
VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.What is the difference between AMA agent and MMA agent? ›
Re: What's the difference between AMA and MMA.
Correct, MMA is a supporting agent for older OS. Whilst AMA is positioned as a replacement, this has no bearing on MDE: AMA will provide log retrieval for various Azure-based log analysis and related features.
The biggest difference is based on the Data Collection Rules. The new AMA agent makes it possible to enable data collection based on DCR rules. The MMA agent was not flexible enough to choose what specific events to collect and was separated into 4 selections (All Events, Common, Minimal, none).What is OMS agent used for? ›
The agent for Linux enables rich and real-time analytics for operational data (Syslog, performance, alerts, inventory) from Linux servers, Docker containers and monitoring tools like Nagios, Zabbix and System Center.