• 3 min read

Tracking configuration changes for your Azure VM

In this blog post, I will talk about how to use the Change Tracking solution to detect in-guest changes on your Azure VMs. Right from within your Azure VM you can quickly assess details of changes that occurred across your system. We currently support tracking Software, Files, Windows Registry, Windows Services, and Linux Daemons.

In this blog post, I will talk about how to use the Change Tracking solution to detect in-guest changes on your Azure VMs. Right from within your Azure VM you can quickly assess details of changes that occurred across your system. We currently support tracking Software, Files, Windows Registry, Windows Services, and Linux Daemons.

This feature is currently in private preview. If you’re interested in trying it, please sign up here!

Enabling change tracking

From your VM, you can select “Track Changes” on the virtual machines blade, under Automation + Control. After selecting it, validation is performed to determine if the Change Tracking solution is enabled for this VM. If it is not enabled, you will have the option to enable the solution.

The solution enablement process usually takes only a few minutes but can take up to 15 minutes. During this time, you should not close the browser window. Once the solution is enabled and log data starts to flow to the workspace, it can take more than 30 minutes for data to be available for analysis in the dashboard described in the next section. We expect this timing to significantly improve in the future.

Visualize change in your VM

From the Change Tracking dashboard, you can view the changes that have occurred on your VM. The main set of graphs displays the configuration changes by time and change type. The interactive table below it shows the changes that occurred during the specified time range. By clicking on the table rows, you can see the details of each change.

image

To change the viewable time window, click on “Filter”. The default time range is the last 24 hours, but you can also set the time range to the last 30 minutes, last 1 hour, last 6 hours, last 7 days, last 30 days, or a custom time range. The Change Tracking solution tracks all Windows Services, all Linux Daemons, all Software, and some Linux Files (/etc/*.conf) by default; however, if you would like to collect additional Files and Windows Registry changes across your machines you can add them to the solution’s collection settings by clicking “Configure”. Please note: the configuration settings are universal across all machines under that workspace.

image

Once in the collection settings, you can go to the change type you wish to modify via the tabs at the top of the page. You can click the plus (+) icon to add a new collection setting for the designated change type, or you can click on a pre-existing setting to edit its properties.

Correlate Azure Activity Log Events for Your VM

If you have the Azure Activity Log solution funneling data to your OMS workspace, you can enable the Azure Activity correlation line graph to see the trend of Activity Log events for your VM that occurred within your Change Tracking time window.

image

To receive Azure Activity Logs in your OMS workspace, follow the steps below (from )

  1. Add the Azure Activity Log Analytics solution in OMS
  2. Go to your workspace in Azure and click on “Azure Activity log” beneath Workspace Data Sources
  3. Enable a connection to the subscription(s) of your choice
  4. Data should start collecting

image

You can click on the Activity Log graph points to see what Activity Logs events occurred around that time. The results will open in Log Search.

OS support

We support all operating systems that meet the OMS agent requirements. Both x86 and x64 versions are officially supported on a variety of distributions. However, the OMS Agent might also run on other distributions not listed.

  • Windows
    • Windows Server 2008 SP 1 or later
    • Windows 7 SP1 or later
  • Linux
    • Amazon Linux 2012.09 through 2015.09
    • CentOS Linux 5, 6 and 7
    • Oracle Linus 5, 6, and 7
    • Red Hat Enterprise Linux Server 5, 6, and 7
    • Debian GNU/Linux 6, 7, and 8
    • Ubuntu 12.04 LTS, 14.04 LTS, 15.04, and 15.10
    • SUSE Linux Enterprise Server 11 and 12

New to OMS Change Tracking

If you are new to OMS Change Tracking, you can view the current capabilities which include change detection across both Windows and Linux machines in our documentation.