Thursday, January 22, 2015

Azure Operational Insights (AOI): How About The Intelligence Packs?


Update 01-22-2015
Microsoft contacted me and asked me to update my description of an Intelligence Pack since they feel it’s much more than a MP. Therefore I’ve updated this posting accordingly. Again I am happy with all the feedback Microsoft provides since it keeps my blog on topic.
 

About this posting
This posting is all about the Intelligence Packs (IPs) used by Azure Operational Insights (AOI).
However, it won’t be a deep dive into the XML code and it’s structure. Instead it will describe what IPs are, do and how they function.

Also good to know is that this posting came to be with direct feedback from Microsoft itself. Simply because I want the postings on my blog to be spot on, delivering good and solid information. So a BIG word of thanks to Microsoft.
There is much to tell so let’s start. I’ve put it in a Q&A kind of form in order to give it more structure (hopefully).
  1. What are Intelligence Packs (IPs)? IPs are like a concept of the 'next generation' of MPs used by AOI. But there is more.
    An IP is a package containing these 3 components:
    A: The data source (the MP part);
    B: Search queries/analytics logic;
    C: Visualization. All these components are bundled together to address a particular topic, also titled 'a problem domain', like SQL Assessment, System Update Management, Malware Assessment and so on.
  2. How about ‘monitoring intelligence’ like we find in the SQL Server Monitoring MP used by on-prem SCOM?
    In the IPs themselves not much 'intelligence' resides. Mostly the IPs perform data collection, send to AOI (Direct Connection) or to the MS servers when connected with a SCOM 2012 MG with a connection to AOI. So you could state that the IP’s are like containers filled with data collection policies.

    The real intelligence is how the collected data is shaped (either processed locally by the MMA or processed in the cloud), indexed and how one can query that data in order to obtain the required information.

  3. How is the data collected?
    The way data is collected by the IPs (or better by the MMA, 'executing' the data collection policies as stated in the IPs) differs.

    When looking at data from events and logs for instance, the data is collected as is.

    In other situations the system is analyzed and the data is shaped based on those findings. Think about SQL Assessment, updates and antimalware for instance.

  4. Can I modify those IPs like MPs by using Overrides?
    MMA's with Direct Connection don't have the management infra SCOM (Console/SDK/database) provides, so IPs can't be easily modified. Please bear in mind that AOI is still in preview mode so MUCH will change in time.

  5. What are those ‘Resources; referred to in the XML code of many IPs?
    While studying the underlying XML I noticed many IPs refer to 'Resources'. This isn't a new concept but introduced with SCOM 2012 RTM. It provides a new way to embed assemblies in those MPs, enriching the capabilities of those same MPs significantly.

    What we see now is that the latest generation of MPs - and IPs as well for that matter - are using Resources more and more. Some shiny examples are the MPs used by SCOM 2012x APM functionality, Azure Monitoring MP, Alert Attachment MP and so on.

    Example: The SQL Assessment IP uses the Resource SQLExecutionPackage.execpkg:
    image

    Resources like these are stored in a subfolder with a two digit numeric value found in the folder ~:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources.

  6. Ever heard about ‘Microsoft System Center Online’?
    When looking at the properties of those Resources I noticed the entry Microsoft System Center Online, like the Resource Microsoft.EnterpriseManagement.Mom.Modules.SubscriptionDataSource.dll:
    image
    So my guess is that AOI is only the beginning of the move of on premise System Center to the cloud (Azure). Exciting times ahead! Awesome!

  7. How are the IPs delivered to MMAs with Direct Connection?
    It's basically the same process as a MMA reporting to an on-premise SCOM MG. In this case however the MMA contacts AOI, get's validated and authenticated.

    The MMA calls a two API's to get the lists of the IPs:
    - A static set of sealed MPs;
    - A configurable MP, setup for that Workspace only.

    These IPs are downloaded and imported. When the configuration is processed by the MMA it will execute the data collection policies as described in those IPs.

  8. What kind of IPs are available at this moment (21st January 2015)?
    Right at this moment these IPs are available:
    - Alert Management (Connecting on-prem SCOM 2012 MG with AOI, manages SCOM Alerts in AOI)
    - Change Tracking (Tracks configuration changes)- Log Management (Configure & manage Windows Events to be collected and uploaded to AOI)
    - System Update Assessment (Identify missing system updates)
    - SQL Assessment (Assess the risk and health of SQL Server environments)- Capacity Planning (Current & future utilization. On-prem SCOM MG and working VMM Connector required)- Malware Assessment (Status of antivirus and antimalware)
  9. Is that it? Or are there more IPs coming?
    Per week new IPs are announced and added to the list of available IPs. At this moment (21st January 2015) these two new IPs are announced to be available soon:
    - AD Assessment (Assess the risk and health of AD environments)
    - Security (Explore security related to data, helps to identify security breaches).

    And believe me, there is MUCH more to come. Why? Microsoft is dedicated to make AOI a great success. So the least they can do is to deliver IPs covering their own flagship products and services. Anything less won’t do. Period.

  10. Do I have to import those IPs, like importing MPs in my on-prem SCOM MGs?
    No, no importing of IPs is required. Simply logon to your AOI portal, go to the IP Gallery, select the IP you want to use by clicking on it and hit the button Add:
    image
    That’s all it takes!

    Disabling an IP is just as straight forward: Select the IP which is activated (it has the status Owned), click on it and hit the button Remove:
    image
    You’ll be prompted to confirm it (Yes) and the IP will be deactivated.
Recap
Hopefully I’ve answered most questions about the IPs, what they do and how they function. In a next posting about AOI I’ll zoom in to the portal itself and what kind of information you can find there, and what you can’t find there (at this moment).

No comments: