Disconnect an Azure VM from a loganalytics workspace

0
votes

i'm looking for a powershell way to disconnect a virtual machine from an OMS workspace.

I wrote a powershell script to move a VM to an other subscription. So i have to re-connect this VM from 'source workspace' to 'destination workspace'.

Just removing OMS extension show me the virtual machine as "Not connected" into Azure portal "Log Analytics workspace >Workspace Data Sources>Virtual machines".

This cmdlet should do the tricks (the doc is not really clear), but i always have the same message

remove-AzureRmOperationalInsightsDataSource -Workspace $OmsWkspceITS -Name CentosMove
Confirm
Are you sure you want to remove data source 'CentosMove' in workspace 'itsoms'?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Yes"): yes
WARNING: DataSource 'CentosMove' does not exist in workspace 'itsoms'.

(CentosMove is my VM name).

Our ITSOMS workspace is used for years now with hundred of VM, many solutions, NSG logflows analytics,.. 

$OmsWkspceITS


Name              : itsoms
ResourceGroupName : rg_its_exploit
ResourceId        : /subscriptions/blablabla/resourcegroups/blabla/providers/microsoft.operationalinsights/workspaces/itsoms
Location          : westeurope
Tags              :
Sku               : standalone
CustomerId        : xx
PortalUrl         : https://weu.mms.microsoft.com/Accou...
ProvisioningState : Succeeded

The only Datasources i can get with this cmdlet are those like this one

Get-AzureRmOperationalInsightsDataSource -WorkspaceName $OmsWkspceITS.Name -ResourceGroupName $OmsWkspceITS.ResourceGroupName -Name DataSource_LinuxSyslog_syslog


Name              : DataSource_LinuxSyslog_syslog
ResourceGroupName : rg_its_exploit
WorkspaceName     : itsoms
ResourceId        : /subscriptions/xx/resourceGroups/rg_its_exploit/providers/Microsoft.OperationalInsights/workspaces/itsoms/datasources/DataSource_LinuxSyslog_syslog
Kind              : LinuxSyslog
Properties        : {"syslogName":"syslog".....}

I'm maybe not looking at the right cmdlet i think ...

Thanks for your help :)

1
azurepowershellvirtual-machineazure-log-analytics

1 Answers

4
votes

To accomplish your requirement use cmdlets Remove-AzureRmVMExtension and Set-AzureRmVMExtension.

For illustration check below commands.

To disconnect Linux VM agent:

Remove-AzureRmVMExtension -ResourceGroupName RESOURCEGROUPNAME -VMName VMNAME -Name ‘OmsAgentForLinux’

To disconnect Windows VM agent:

Remove-AzureRmVMExtension -ResourceGroupName RESOURCEGROUPNAME -VMName VMNAME -Name ‘MicrosoftMonitoringAgent’

To connect Linux VM agent to a Log Analytics workspace:

$WorkspaceID = "xxxxxxxxxxxxxxxxxxxxxxxxx"
$WorkspaceKey = "xxxxxxxxxxxxxxxxxxxxxxxx"
Set-AzureRmVMExtension -ResourceGroupName RESOURCEGROUPNAME -VMName VMNAME -Name ‘OmsAgentForLinux’ -Publisher ‘Microsoft.EnterpriseCloud.Monitoring’ -ExtensionType ‘OmsAgentForLinux’ -TypeHandlerVersion ‘1.0’ -Location 'LOCATION' -SettingString "{‘workspaceId’: ‘$WorkspaceID’}" -ProtectedSettingString "{‘workspaceKey’: ‘$WorkspaceKey’}"

To connect Windows VM agent to a Log Analytics workspace:

$WorkspaceID = "xxxxxxxxxxxxxxxxxxxxxxxxx"
$WorkspaceKey = "xxxxxxxxxxxxxxxxxxxxxxxx"
Set-AzureRmVMExtension -ResourceGroupName RESOURCEGROUPNAME -VMName VMNAME -Name ‘MicrosoftMonitoringAgent’ -Publisher ‘Microsoft.EnterpriseCloud.Monitoring’ -ExtensionType ‘MicrosoftMonitoringAgent’ -TypeHandlerVersion ‘1.0’ -Location 'LOCATION' -SettingString "{‘workspaceId’: ‘$WorkspaceID’}" -ProtectedSettingString "{‘workspaceKey’: ‘$WorkspaceKey’}"

Hope this helps!! Cheers!! :)