What is Operations Management Suite?

Introduction

Operations Management Suite is the Microsoft tool for monitoring infrastructure environments whether they be cloud based, on premise or a hybrid. It can be thought of as the next generation product of SCOM.

Operations Management can be deployed on a huge number of services including,

• Virtual Machines, Windows or Linux, On Premise or Cloud Based.
• Office365
• Azure Services including Azure Web Apps, Azure SQL.

Once connected to a data source OMS can provide the following services,

• Log Analytics – Gathering of all log data including security audits, change tracking such as installs and registry changes, performance benchmarks for the services, malware checking and a huge selection of other services.
• Automation – Deployment of hybrid workers allow for updates to be carried out automatically in a similar way to WSUS works.
• Reporting & Alerting – Utilising the log data Alerts can be configured to notify relevant people of security attacks or changes. We can even setup specific quarries and report
• Solutions – There is a huge range of solutions available that can provide further services including Backup/Site Recovery, AD Replication, AD Assessment, SQL Assessment, Networking Monitoring and loads more.

Pricing

Operations Manager Suite has a completely free model meaning if you want to try out all the functionality you can do so. The free version has limitations on the size of data it can collect but perfectly adequate for small environments and testing.

There are a few paid options to choose from E2 giving you everything including Backup & Site Recovery and E1 which contains the basics. You can also choose to select each module on a pay as you go basis but the costs are a lot more than an E1 or E2. A nice include is the license for System Center which can save you money or add additional value.

More details about the pricing can be found here,

https://www.microsoft.com/en-gb/cloud-platform/operations-management-suite-pricing

Deploying

OMS is easy to deploy and get started with. First, you’ll need an Azure subscription and then you need to create an OMS portal. Click Add Resource and search for Log Analytics.

Configure Logging

Azure

If you have machines that you’d like to monitor within Azure its really easy to switch on. Browse to your Log Analytics Instance > Select Virtual Machines > Click each of the VMs and click Connect to monitor them.

Agent

If you want to track On Premise or other Cloud servers you can browse to your OMS Portal typically something like https://example.portal.mms.microsoft.com or by clicking OMS Workspace from your Log Analytics instance within Azure.

Click the Settings Cog > Connected Sources > Download.

From here you can download the setup files and see the required keys which will be requested during the installation.

What can we do with OMS?

Once you’ve deployed OMS you’ll have several options available to you including some prebuilt dashboards/views and the ability to start creating your own. Below are some of the out of the box controls you have by enabling various solutions and some useful queries that you can use within the log searching.

Out of the Box Controls

Out of the box there are a number of useful alerts including the following,

• Security Alerts detecting servers that are being brute force attacks and where attacks are originating from.
• Performance Monitoring including free space, memory, CPU and disk utilisation.
• Event monitoring displaying which servers are showing critical alerts that need to be picked up.
• Various modules that allow for AD and SQL Assessments that automatically display security, performance and other best practices and recommended fixes for your infrastructure.
• Automation including Patch Management that can replace WSUS functionality.

Security Controls

Some useful alerts especially in larger environments would be to create some automated alerts when security groups are changed especially groups such as Domain Admin or even monitoring when local admins are added to servers. See an example below on how to create a basic search that would monitor this.

Type=SecurityEvent EventID=4728 OR EventID=4732 OR EventID=4756

Useful Security EventIDs

• 4727 – A security-enabled global group was created.
• 4728 – A member was added to a security-enabled global group.
• 4729 – A member was removed from a security-enabled global group.
• 4730 – A security-enabled global group was deleted.
• 4731 – A security-enabled local group was created.
• 4732 – A member was added to a security-enabled local group.
• 4733 – A member was removed from a security-enabled local group.
• 4734 – A security-enabled local group was deleted.
• 4735 – A security-enabled local group was changed.
• 4737 – A security-enabled global group was changed.
• 4754 – A security-enabled universal group was created.
• 4755 – A security-enabled universal group was changed.
• 4756 – A member was added to a security-enabled universal group.
• 4757 – A member was removed from a security-enabled universal group.
• 4758 – A security-enabled universal group was deleted.
• 4764 – A group’s type was changed.

Performance Monitoring

By default, OMS won’t be enabled to collect Windows Performance Counters. We need to turn this on,

If we go to the Cog (Settings) > Select Data > Windows Performance Counters

Here we can enable and determine the interval for the monitoring.

Once we’ve activated that and let the agents collect some data we can report back on this using Log Analytics by going to Log Search and entering some of the sample queries below.

CPU Usage 7 days per interval hours

Type:Perf CounterName=”% Processor Time” InstanceName=”_Total” | measure avg(CounterValue) by Computer Interval 1HOUR

Memory usage the last 7 days divided into hourly intervals

Type:Perf ObjectName=Memory CounterName=”Available MBytes” | measure avg(CounterValue) by Computer Interval 1HOUR

Free disk space the last 7 days divided into hourly intervals

Type:Perf ObjectName=LogicalDisk CounterName=”% Free Space” | measure avg(CounterValue) by Computer Interval 1HOURS

Free disk space on a specific instance the last 7 days divided into hourly intervals

Type:Perf ObjectName=LogicalDisk CounterName=”% Free Space” InstanceName=”C:” | measure avg(CounterValue) by Computer Interval 1HOURS

Alerts

Finally, we may want to configure some alerts that email our staff members based on critical events that are detected whether this be a security event or a server reporting critical events to the event log.

Critical alerts raised during the past 24 hours

Type=Alert SourceSystem=OpsManager AlertSeverity=error TimeRaised>NOW-24HOUR

Warning alerts raised during the past 24 hours

Type=Alert AlertSeverity=warning TimeRaised>NOW-24HOUR

Alerts raised during the past 1 day grouped by their severity

Type=Alert SourceSystem=OpsManager TimeRaised>NOW-1DAY | measure count() as Count by AlertSeverity

How we roll out OMS

Valto are experts in Operations Management Suite and we can help your organisation roll this through the following process,

• Demonstration – We provide a full demonstration of OMS and the capabilities available to give you a full understand of how this product can help your organisation. We do this at no charge and you’re welcome to join us at our offices or we can come to you. Contact Us.
• Specification – Depending on the size of your organisation and complexity OMS can be a relatively easy deployment or can required detailed planning before implementation. Based on our initial demonstration we’ll gather requirements to determine the next steps and whether a workshop will be required to fully deploy the solution.
• Workshop – During our workshop we’ll sit down with the stakeholders and full understand the requirements from OMS. We’ll further demonstrate the capabilities of OMS and start building a thorough list of solutions required, log searches and alerts that need to be designed and prepared. During the workshop, we’ll build a specification that fully costs out the expected project costs, licensing and timelines for implementation.
• Proof of Concept – Once the initial specification has been deployed and agreed on a proof of concept will be built to determine whether the specification meets all of the requirements or needs adjusting.
• Rollout – Finally, OMS will be deployed and rolled out. Full training is provided to relevant staff to ensure OMS can be developed and monitored going forward. Support can be provided with Valto monthly agreements or tokens where required.

Extending OMS Further

Our blog post barely scratches the surface of the full capabilities of OMS there are many more solutions and capabilities. Below are a few of these,

• Automation & Powershell DSC – We can build profiles for servers based on their roles, standard company configurations and more. DSC allows us to define Powershell scripts and MOF profiles for our infrastructure. This can for example be a profile created to ensure the role IIS is deployed along with the website files. If anything changes on this server it will automatically be picked up as non compliant by Azure/OMS service and attempt to restore the required files or services.
• Dashboards – We can build specific dashboards based on groups to monitor specific log queries such as security events on public facing servers.
• PowerBI – Extending the Log Analytics further we can export all of the data and built intelligent beautiful reports to provide to management teams.

We’ll cover each of these solutions over the coming months keep an eye out and subscribe to our blog

Clients we’ve deployed OMS for

We’ve deployed OMS for a number of key clients during larger Azure migration projects to assist with the ongoing support and management of the environment. This includes the following,

• Large Charity in London following a migration of their infrastructure from a data centre to Azure.
• ISV / Microsoft Partner – Rolled out as part of a multi tenanted Azure environment to provide various services to their clients.