Manage change tracking and inventory using Azure Monitoring Agent

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ Windows Registry ✔️ Windows Files ✔️ Linux Files ✔️ Windows Software

This article describes how to manage change tracking, and includes the procedure on how you can change a workspace and configure data collection rule.

Note

Before using the procedures in this article, ensure that you've enabled Change Tracking and Inventory on your VMs. For detailed information on how you can enable, see Enable change tracking and inventory from portal

Configure Windows, Linux files, and Windows Registry using Data Collection Rules

To manage tracking and inventory, ensure that you enable Change tracking with AMA on your VM.

  1. In the Azure portal, select the virtual machine.

  2. Select a specific VM for which you would like to configure the Change tracking settings.

  3. Under Operations, select Change tracking.

    Screenshot of selecting the change tracking to configure file settings.

  4. Select Settings to view the Data Collection Rule Configuration (DCR) page. Here, you can do the following actions:

    1. Configure changes on a VM at a granular level.
    2. Select the filter to configure the workspace.
    3. Use the filter to view all the DCRs that are configured to the specific LA workspace level.

    Note

    The settings that you configure are applicable to all the VMs that are attached to a specific DCR. For more information about DCR, see Data collection rules in Azure Monitor.

  5. Select Add to configure new file settings

    In the Add Windows File setting pane, enter the information for the file or folder to track and click Save. The following table defines the properties that you can use for the information.

    Property Description
    Enabled True if the setting is applied, and false otherwise.
    Item Name Friendly name of the file to be tracked.
    Group A group name to group files logically
    Path The path to check for the file, for example, c:\temp*.txt. You can also use environment variables, such as %winDir%\System32\*.*.
    Path Type The type of path. Possible values are File and Folder.
    Recursion True if recursion is used when looking for the item to be tracked, and False otherwise.

You can now view the virtual machines configured to the DCR.

Configure file content changes

To configure file content changes, follow these steps:

  1. In your virtual machine, under Operations, select Change tracking > Settings.

  2. In the Data Collection Rule Configuration (Preview) page, select File Content > Link to link the storage account.

    Screenshot of selecting the link option to connect with the Storage account.

  3. In Content Location for Change Tracking screen, select your Subscription, Storage and confirm if you are using System Assigned Managed Identity.

  4. Select Upload file content for all settings, and then select Save. It ensures that the file content changes for all the files residing in this DCR will be tracked.

When the storage account is linked using the system assigned managed identity, a blob is created.

  1. From Azure portal, go to Storage accounts, and select the storage account.

  2. In the storage account page, under Data storage, select Containers > Changetracking blob > Access Control (IAM).

  3. In the Changetrackingblob | Access Control (IAM) page, select Add and then select Add role assignment.

    Screenshot of selecting to add role.

  4. In the Add role assignment page, use the search for Blob Data contributor to assign a storage Blob contributor role for the specific VM. This permission provides access to read, write, and delete storage blob containers and data.

    Screenshot of selecting the contributor role for storage blog.

  5. Select the role and assign it to your virtual machine.

    Screenshot of assigning the role to VM.

Upgrade the extension version

Note

Ensure that ChangeTracking-Linux/ ChangeTracking-Windows extension version is upgraded to 2.13

Use the following command to upgrade the extension version:

az vm extension set -n {ExtensionName} --publisher Microsoft.Azure.ChangeTrackingAndInventory --ids {VirtualMachineResourceId} 

The extension for Windows is Vms - ChangeTracking-Windowsand for Linux is Vms - ChangeTracking-Linux.

Configure using wildcards

To configure the monitoring of files and folders using wildcards, do the following:

  • Wildcards are required for tracking multiple files.
  • Wildcards can only be used in the last segment of a path, such as C:\folder\file or /etc/.conf*
  • If an environment variable includes a path that is not valid, validation will succeed but the path will fail when inventory runs.
  • When setting the path avoid general paths such as c:.** which will result in too many folders being traversed.

Disable Change Tracking from a virtual machine

To remove change tracking with Azure Monitoring Agent from a virtual machine, follow these steps:

Disassociate Data Collection Rule (DCR) from a VM

  1. In Azure portal, select Virtual Machines and in the search, select the specific Virtual Machine.

  2. In the Virtual Machine page, under Operations, select Change tracking or in the search, enter Change tracking and select it from the search result.

  3. Select Settings > DCR to view all the virtual machines associated with the DCR.

  4. Select the specific VM for which you want to disable the DCR.

  5. Select Delete.

    Screenshot of selecting a VM to dissociate the DCR from the VM.

    A notification appears to confirm the disassociation of the DCR for the selected VM.

Uninstall change tracking extension

  1. In the Azure portal, select Virtual Machines and in the search, select the specific VM for which you have already disassociated the DCR.

  2. In the Virtual Machines page, under Settings, select Extensions + applications.

  3. In the VM |Extensions + applications page, under Extensions tab, select MicrosoftAzureChangeTrackingAndInventoryChangeTracking-Windows/Linux.

    Screenshot of selecting the extension for a VM that is already disassociated from the DCR.

  4. Select Uninstall.

Next steps