Azure ARC – Quick view

Azure ARC – Quick view

In Sentinel, if you want to collect onPrem logs like Windows Events, CEF or Syslog, you have to deploy a combination of Azure Arc and AMA Agent. In this short article we will tackle the most important points

The Azure ARC agent is about connecting onPrem (or other cloud) machines to Azure and governing them all from a single place.

(schema image)

Deployment

Choose where (Resource Group/Subscription) you want to onboard the new machines. My recommendation is add them in the same RG where you deployed Sentinel = LAW (Log Analytics Workspace)

(image)

For few machines (common), use the single deployment option and the public endpoint. Using a PowerShell script for Windows or a bash script for Linux. After the execution you have to authenticate it to finish the onboard (link + code).

If you did it correctly, they should see a new purple machine in the resource group choosed. Sure.

(image)

At this point you have onboarded your onPrem machine in Azure, like your Syslog/CEF/WEC or any other server. It means:

  • The machine will become a Azure resource, so you can apply policies, health monitoring, tags even for Linux connect remotly.
  • You will be able to deploy the Azure Monitor Agent – AMA in the machine in few clicks creating a DCR.

In the next article we will see how to get our first logs from the onPrem (and Cloud) infra.

(image of Azure Arc sending logs LAW or another thing)

Thanks! I hope was useful.

Leave a Reply

Your email address will not be published. Required fields are marked *