Drew Robinson's Blog

Azure, Powershell and Security things

Getting started with OMS

http://portal.azure.com

click new, type OMS and click on Log Analytics (OMS)

oms1

 

Click on create

oms2

 

1. define your OMS workspace name, select subscription id, resource group, region and location, click create.

oms3

Once you have provisioned OMS, go ahead and launch OMS.

To launch OMS from the Portal:

Browse: OMS, Log Analytics (OMS)

oms4

The blade will launch, you should see something similar to the following, click on Get started (Quick Start)

oms5

You will need to configure your data sources as well as where you will store your data

oms6

Starting with Azure Virtual Machines, you will be provided with a list of your existing VMs, to enable OMS, simply click on each VM and click connect.

oms7

After you have enabled your azure datasources, select an existing storage account or create new storage account, also select the data types you will want to collect (you can modify this list later) for now, I suggest you enable Events only.

oms8

Summary:

oms9

For on-premises systems or systems that are hosted with other cloud providers you can download the OMS Direct Agent. Instructions here

Command line:

MMASetup-AMD64.exe /Q:A /R:N /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=<your workspace id> OPINSIGHTS_WORKSPACE_KEY=<your workspace key> AcceptEndUserLicenseAgreement=1"

oms10

When you are done with your initial settings, login to the OMS Portal

oms11

 

Enable solutions for your log data, think of these as intelligence packs.

 

oms12

For this example, enable Security and Audit, feel free to enable more solutions.

 

oms13

 

It will take a bit of time for log data to be initialized, the following screen shows what happens when I try to pass a bad login via RDP.

oms14

 

 

oms15