In this blog post, I will talk about how to use the Change Tracking solution to detect in-guest changes on your Azure VMs. Right from within your Azure VM you can quickly assess details of changes that occurred across your system. We currently support tracking Software, Files, Windows Registry, Windows Services, and Linux Daemons.
This feature is currently in private preview. If you’re interested in trying it, please sign up here!
Enabling change tracking
From your VM, you can select “Track Changes” on the virtual machines blade, under Automation + Control. After selecting it, validation is performed to determine if the Change Tracking solution is enabled for this VM. If it is not enabled, you will have the option to enable the solution.
The solution enablement process usually takes only a few minutes but can take up to 15 minutes. During this time, you should not close the browser window. Once the solution is enabled and log data starts to flow to the workspace, it can take more than 30 minutes for data to be available for analysis in the dashboard described in the next section. We expect this timing to significantly improve in the future.
Visualize change in your VM
From the Change Tracking dashboard, you can view the changes that have occurred on your VM. The main set of graphs displays the configuration changes by time and change type. The interactive table below it shows the changes that occurred during the specified time range. By clicking on the table rows, you can see the details of each change.
To change the viewable time window, click on “Filter”. The default time range is the last 24 hours, but you can also set the time range to the last 30 minutes, last 1 hour, last 6 hours, last 7 days, last 30 days, or a custom time range. The Change Tracking solution tracks all Windows Services, all Linux Daemons, all Software, and some Linux Files (/etc/*.conf) by default; however, if you would like to collect additional Files and Windows Registry changes across your machines you can add them to the solution’s collection settings by clicking “Configure”. Please note: the configuration settings are universal across all machines under that workspace.
Once in the collection settings, you can go to the change type you wish to modify via the tabs at the top of the page. You can click the plus (+) icon to add a new collection setting for the designated change type, or you can click on a pre-existing setting to edit its properties.
Correlate Azure Activity Log Events for Your VM
If you have the Azure Activity Log solution funneling data to your OMS workspace, you can enable the Azure Activity correlation line graph to see the trend of Activity Log events for your VM that occurred within your Change Tracking time window.
To receive Azure Activity Logs in your OMS workspace, follow the steps below (from http://www.deployazure.com/management/operations-management-suite/azure-activity-log-analytics-alerts-with-operations-management-suite/)
Add the Azure Activity Log Analytics solution in OMS
Go to your workspace in Azure and click on "Azure Activity log" beneath Workspace Data Sources
Enable a connection to the subscription(s) of your choice
Data should start collecting
You can click on the Activity Log graph points to see what Activity Logs events occurred around that time. The results will open in Log Search.
OS support
We support all operating systems that meet the OMS agent requirements. Both x86 and x64 versions are officially supported on a variety of distributions. However, the OMS Agent might also run on other distributions not listed.
Windows
Windows Server 2008 SP 1 or later
Windows 7 SP1 or later
Linux
Amazon Linux 2012.09 through 2015.09
CentOS Linux 5, 6 and 7
Oracle Linus 5, 6, and 7
Red Hat Enterprise Linux Server 5, 6, and 7
Debian GNU/Linux 6, 7, and 8
Ubuntu 12.04 LTS, 14.04 LTS, 15.04, and 15.10
SUSE Linux Enterprise Server 11 and 12
New to OMS Change Tracking
If you are new to OMS Change Tracking, you can view the current capabilities which include change detection across both Windows and Linux machines in our documentation.
Quelle: Azure
Published by