Migration guidance from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ Azure Arc-enabled servers.

This article provides guidance to move from Change Tracking and Inventory using Log Analytics (LA) version to the Azure Monitoring Agent (AMA) version.

Using the Azure portal, you can migrate from Change Tracking & Inventory with LA agent to Change Tracking & Inventory with AMA and there are two ways to do this migration:

• Migrate single/multiple machines from the Azure Virtual Machines page or Machines-Azure Arc page.
• Migrate multiple Virtual Machines on LA version solution within a particular Automation Account.

Additionally, you can use a script to migrate all Virtual Machines and Arc-enabled non-Azure machines at a Log Analytics workspace level from LA version solution to Change Tracking and Inventory with AMA. This isn't possible using the Azure portal experience mentioned above.

The script allows you to also migrate to the same workspace. If you are migrating to the same workspace then, the script will remove the LA(MMA/OMS) Agent from your machines. This may cause the other solutions to stop working. We therefore, recommend that you plan the migration accordingly. For example, first migrate other solution and then proceed with Change Tracking migration.

Note

The removal doesn't work on MMA agents that were installed using the MSI installer. It only works on VM/Arc VM extensions.

Note

File Integrity Monitoring (FIM) using Microsoft Defender for Endpoint (MDE) is now currently available. Follow the guidance to migrate from:

• FIM with Change Tracking and Inventory using AMA.
• FIM with Change Tracking and Inventory using MMA.

Onboarding to Change tracking and inventory using Azure Monitoring Agent

Single Azure VM - Azure portal

To onboard through Azure portal, follow these steps:

1. Sign in to the Azure portal and select your virtual machine

2. Under Operations , select Change tracking.

3. Select Configure with AMA and in the Configure with Azure monitor agent, provide the Log analytics workspace and select Migrate to initiate the deployment.

   

4. Select Switch to CT&I with AMA to evaluate the incoming events and logs across LA agent and AMA version.

   

Automation account - Azure portal

1. Sign in to Azure portal and select your Automation account.

2. Under Configuration Management, select Change tracking and then select Configure with AMA.

   

3. On the Onboarding to Change Tracking with Azure Monitoring page, you can view your automation account and list of both Azure and Azure Arc machines that are currently on Log Analytics and ready to be onboarded to Azure Monitoring Agent of Change Tracking and inventory.

   

4. On the Assess virtual machines tab, select the machines and then select Next.

5. On Assign workspace tab, assign a new Log Analytics workspace resource ID to which the settings of AMA based solution should be stored and select Next.

   

6. On Review tab, you can review the machines that are being onboarded and the new workspace.

7. Select Migrate to initiate the deployment.

8. After a successful migration, select Switch to CT&I with AMA to compare both the LA and AMA experience.

   

Single Azure Arc VM - Azure portal

1. Sign in to the Azure portal. Search for and select Machines-Azure Arc.

   

2. Select the specific Arc machine with Change Tracking V1 enabled that needs to be migrated to Change Tracking V2.

3. Select Migrate to Change Tracking with AMA and in the Configure with Azure monitor agent, provide the resource ID in the Log analytics workspace and select Migrate to initiate the deployment.

   

4. Select Manage Activity log connection to evaluate the incoming events and logs across LA agent and AMA version.

Log Analytics Workspace - PowerShell Script

Prerequisites

• Ensure you have PowerShell installed on the machine where you are planning to execute the script.
  • The script cannot be executed on Azure Cloud Shell.
  • The latest version of PowerShell 7 or higher is recommended. Follow the steps to Install PowerShell on Windows, Linux, and macOS.
• Obtain Write access for the specified workspace and machine resources.
• Install the latest version of the Az PowerShell module. The Az.Accounts and Az.OperationalInsights modules are required to pull workspace agent configuration information.
• Ensure you have Azure credentials to run Connect-AzAccount and Select-AzContext which set the script's context.

Follow these steps to migrate using scripts:

Migration guidance

• The script will migrate all Azure Machines and Arc enabled Non-Azure Machines onboarded to LA Agent Change Tracking solution for the Input Log Analytics Workspace to the Change Tracking using AMA agent for the Output Log Analytics Workspace.

• The script provides the ability to migrate using the same workspace, that is Input and Output Log Analytics Workspaces are the same. However, it will then remove the LA (MMA/OMS) agents from the machines.

• The script migrates the settings for the following data types:

  • Windows services
  • Linux files
  • Windows files
  • Windows registry
  • Linux Daemons

• The script consists of the following Parameters that require an input from you.

  Parameter	Required	Description
  InputLogAnalyticsWorkspaceResourceId	Yes	Resource ID of the workspace associated with Change Tracking & Inventory with Log Analytics.
  OutputLogAnalyticsWorkspaceResourceId	Yes	Resource ID of the workspace associated with Change Tracking & Inventory with Azure Monitoring Agent.
  OutputDCRName	Yes	Custom name of the new DCR to be created.
  OutputVerbose	No	Optional. Input $true for verbose logs.
  AzureEnvironment	Yes	Folder path where DCR templates are created.

• In Details, the script does the following:

  1. Get list of all Azure and Arc Onboarded Non-Azure machines onboarded to Input Log Analytics Workspace for Change Tracking solution using MMA Agent.
  2. Create the Data Collection Rule (DCR) ARM template by fetching the files, services, tracking & registry settings configured in the legacy solution and translating them to equivalent settings for the latest solution using AMA Agent and Change Tracking Extensions for the Output Log Analytics Workspace.
  3. Deploy Change Tracking solution ARM template to Output Log Analytics Workspace. This is done only if migration to the same workspace is not done. The output workspace requires the legacy solution to create the log analytics tables for Change Tracking like ConfigurationChange & ConfigurationData. The deployment name will be DeployCTSolution_CTMig_{GUID} and it will be in same resource group as Output Log Analytics Workspace.
  4. Deploy the DCR ARM template created in Step 2. The deployment name will be OutputDCRName_CTMig_{GUID} and it will be in same resource group as Output Log Analytics Workspace. The DCR will be created in the same location as the Output Log Analytics Workspace.
  5. Removes MMA Agent from machines list populated in Step 1. This is done only if migration to the same workspace is carried out. Machines which have the MMA agent installed via the MSI, will not have the MMA agent removed. It will be removed only if the MMA Agent was installed as an extension.
  6. Assign DCR to machines and install AMA Agent and CT Extensions. The deployment name of it will be MachineName_CTMig and it will be in same resource group as the machine.
     • Assign the DCR deployed in Step 4 to all machines populated in Step 1.
     • Install the AMA Agent to all machines populated in Step 1.
     • Install the CT Agent to all machines populated in Step 1.

Compare data across Log analytics Agent and Azure Monitoring Agent version

After you complete the onboarding to Change tracking with AMA version, select Switch to CT with AMA on the landing page to switch across the two versions and compare the following events.

For example, if the onboarding to AMA version of service takes place after 3rd November at 6:00 a.m. You can compare the data by keeping consistent filters across parameters like Change Types, Time Range. You can compare incoming logs in Changes section and in the graphical section to be assured on data consistency.

Note

You must compare for the incoming data and logs after the onboarding to AMA version is done.

Obtain Log Analytics Workspace Resource ID

To obtain the Log Analytics Workspace resource ID, follow these steps:

1. Sign in to Azure portal

2. In Log Analytics Workspace, select the specific workspace and select Json View.

3. Copy the Resource ID.

   

Limitations

Using Azure portal

For single VM and Automation Account

1. For File Content changes-based settings, you have to migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in Track file contents.
2. If migration to different workspace is carried out, then alerts configured using the Log Analytics Workspace must be manually configured.

Using PowerShell script

1. For File Content changes-based settings, you have to migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in Track file contents.
2. If migration to different workspace is carried out, then alerts configured using the Log Analytics Workspace must be manually configured.

Disable Change tracking using Log Analytics Agent

After you enable management of your virtual machines using Change Tracking and Inventory using Azure Monitoring Agent, you might decide to stop using Change Tracking & Inventory with LA agent version and remove the configuration from the account.

The disable method incorporates the following:

• Removes change tracking with LA agent for selected few VMs within Log Analytics Workspace.
• Removes change tracking with LA agent from the entire Log Analytics Workspace.

Next steps

• To enable from the Azure portal, see Enable Change Tracking and Inventory from the Azure portal.