To get started with OMS, set up a Log Analytics workspace. A workspace is a container and Azure resource in which data is collected, analyzed, and presented in a portal. It includes account information and simple configuration information for a given account. You can have multiple workspaces to manage different datasets. In order to create a workspace, you will need the following:
- An Azure subscription
- A name for your workspace
- An Azure geographical region
You will also need to associate your workspace with an Azure subscription. A workspace can be used as a granular unit of management for specific workloads, functional teams, or other bases. A Log Analytics workspace provides you with the following:
- Granularity for billing
- Data isolation
- Custom workload configuration
- Geographic location flexibility for data storage
You can get started with OMS by creating a workspace using any of the following methods:
- Create a workspace through the Microsoft OMS overview page
- Create a Log Analytics workspace in the Azure portal
- Create and configure a Log Analytics workspace using Azure Resource Manager templates
- Create and configure a Log Analytics workspace using Log Analytics PowerShell cmdlets
You can subsequently view, administer, and configure your workspace through the user interface portals in either Azure or the OMS website.
Once you add solutions to your workspace and connect sources to the workspace, you can then define the data that gets collected from your connected sources by defining and configuring data sources for your workspace. The configured data sources determine the nature of the collected data. The following are some examples of data sources:
- Windows event logs
- Windows and Linux performance counters
- Syslog
- IIS and custom logs
For Windows event logs, Log Analytics will only collect events from the Windows event logs that you specify in your workspace. You will not, however, be able to manually add security events to your workspace. To collect security events, you will need to install the Security and Audit solution or the Security & Compliance solution, which includes the security solution.
The collected data is then stored in the OMS repository as a set of records, with each record type having a set of properties.
This collected data can then be queried using the log search feature to combine and correlate the data, and with the emphasis on particular workloads or problem areas using solutions, you can glean insights and take action on the information derived from the data. You can then further analyze the data using the various visualization capabilities in OMS.
Furthermore, you can manage accounts, users, and groups to have some measure of role-based access to your Log Analytics workspace. This can be done using Azure permissions, and in the OMS portal.
The Microsoft or organizational account that creates a workspace becomes an administrator of the workspace by default.