Comparing OMS/Log Analytics and SCOM
updated 13 August 2018
When organizations move to the cloud, they often aren’t sure when to use their typical on-premises infrastructure tools and when to use cloud-based tools. A common misconception in the Microsoft world is that OMS (Operations Management Suite) is a replacement for SCOM (System Center Operations Manager) – it’s not. Also Log Analytics is the monitoring product; it is a misnomer to think OMS = monitoring.
In my view (*not a Microsoft statement*) OMS is positioning itself to replace the System Center Suite, but it’s not there yet. OMS includes Azure Automation (cloud option for System Center Orchestrator), Backup and Recovery (cloud option for Data Protection Manager), and Log Analytics (similar to the SCOM Data Warehouse). See /en-us/azure/operations-management-suite/operations-management-suite-overview#oms-services for more details.
Monitoring Product Comparison
Regardless, how do you know which product is best for your organization? I argue they are better together since they really fill different needs. Below is my breakdown of the key differences I see that could influence your design.
| SCOM | Log Analytics | |
| Ability to Monitor Azure Services | Limited | Robust |
| Alerting | Yes, integrates with System Center for more advanced responses | Yes (near-time, not real-time), integrates with Azure Automation for more advanced responses. |
| Application Access | Thick client or web client | Web Client or mobile application |
| Client Agent | Shared agent or Agentless (limited functionality) | Shared agent |
| Client Agent Administration | Customer responsible for updating | If installed via Azure Extension, it auto-updates; if installed via MSI, customer must update |
| Client Locations | Anywhere; in any cloud or on-premises although trust is required (SCOM gateway or certificates) | Anywhere; in any cloud or on-premises, |
| Data Latency | Generally <1min, depends on the customer’s environment | Generally 10-15min, SLA is 6hrs |
| Data Retention | No limit | Two-year limit in Azure, can be exported for longer retention |
| Disaster Recovery | All manual | Handled by Microsoft |
| High Availability | Need multiple management servers and SQL AlwaysOn for OpsDB and DW | 99.9% SLA |
| Internet Access for Agents | Not required | Required, OMS Gateway available |
| Management Packs/Solutions | 250+ Management Packs free from Microsoft, plus 3rd party management packs | 43+ Solutions free from Microsoft |
| Management Packs/Solutions Administration | Customer imports, tunes, and updates | Customer adds, no updating or tuning |
| Release Schedule | Semi-annual | Continuously |
| Querying Data | Painful, via SSRS | Easy, via the portal |
| Reporting | Basic, can create custom reports with SSRS | Advanced, can us PowerBI for further reporting |
Note: the SCOM Management Group can be integrated with Log Analytics (shows as OMS in the SCOM console).
My Summary
· Log Analytics – Easy to use, has the graphs management will love, and its security solutions are a huge differentiator
· SCOM – Takes some work to setup, perfect for real-time, granular monitoring and alerting on servers and applications
The Future
Microsoft is expanding the Azure-based monitoring options. Offerings like Azure Security Center, Application Insights, and others to come are "fleshing out" the Azure Monitoring story. Look for more to come as we work to provide a complete cloud-based offering for enterprise monitoring.
Closing
Please comment and let me know what you think! Did I leave anything out? How are you monitoring your environment?
For further reading, see https://blogs.technet.microsoft.com/msoms/2016/01/11/why-use-oms-while-scom-is-running/
Comments
- Anonymous
February 08, 2018
Nicole,I would be reluctant to call OMS an alerting tool. While it is a great product with a huge amount of potential going forward, it is still not (and probably never will be) capable of real time alerting. Real time alerting being the key factor here. For example the collection frequency determines how often the OMS agent on machines will send data to Log Analytics. If the collection frequency is 10 minutes and (assuming) there are no other delays in the system, then time stamps of the transmitted data may be anywhere between zero and 10 minutes old before being added to the repository and is searchable in Log Analytics. If Log analytics can't alert in real time, then I can't see how it can be called an alerting tool? Sure you can get some great alert management (combined with SCOM), reporting, statsitics, Dashboards etc etc but lately I have noticed Microsoft trying to sell OMS as the only monitoring/alerting tool you will need and this is clearly not the case.- Anonymous
February 08, 2018
IvorJ - I totally agree. Log Analytics can alert, but it's timeliness makes it of limited use. I'll update that table.
- Anonymous
- Anonymous
March 29, 2018
Nicole, Excellent comparison, I started with OMS to setup real time alert but it never worked. After consulting Microsoft OMS Architect, recommendation was to configure SCOM with OMS in hybrid and set real time alerts in SCOM. We configured as recommend and its working great. I agree OMS is not a real time and near-real time alerts. With tight SLA's for server heartbeat and other resources SCOM is way to go.Out of curiosity, does OMS Log analytics support Windows services and TCP port to monitor/alert.- Anonymous
May 11, 2018
Hi Amit! Wire Data will show port info, but I'm not aware of any easy way to monitor services (metrics, status, etc.)
- Anonymous
- Anonymous
October 08, 2018
Thank you, Nicole, I was looking for exactly this sort of comparison between SCOM and Log Analytics for a customer case study. Immensely helpful. I agree Azure Monitoring is the Future.