Log Analytics for Linux Virtual Machine Scale Set not working

Question

I've tried to set up Log Analytics in my Linux Virtual Machine Scale Set but it's not working. I used this as a template but to no avail.

Here is my terraform:

    ###############
    # Log analytics
    ###############
    
    resource "azurerm_virtual_machine_scale_set_extension" "AzureMonitorLinuxAgent" {
      name                         = "AzureMonitorLinuxAgent"
      publisher                    = "Microsoft.Azure.Monitor"
      type                         = "AzureMonitorLinuxAgent"
      type_handler_version         = "1.10"
      auto_upgrade_minor_version   = true
      virtual_machine_scale_set_id = azurerm_linux_virtual_machine_scale_set.vmss.id
    
      depends_on = [
        azurerm_linux_virtual_machine_scale_set.vmss
      ]
    }

resource "azurerm_monitor_data_collection_rule" "example" {
  name                = "my ame"
  resource_group_name = var.resource_group_name
  location            = var.location

  destinations {
    log_analytics {
      workspace_resource_id = var.log_analytics_workspace_log_id
      name                  = "destination-log"
    }

    azure_monitor_metrics {
      name = "test-destination-metrics"
    }
  }

  data_flow {
    destinations = ["destination-log"]
    streams      = ["Microsoft-InsightsMetrics", "Microsoft-Event", "Microsoft-Syslog"]
  }

  data_sources {

    performance_counter {
      streams                       = ["Microsoft-InsightsMetrics"]
      sampling_frequency_in_seconds = 60
      counter_specifiers            = ["\\VmInsights\\DetailedMetrics"]
      name                          = "VMInsightsPerfCounters"
    }

    syslog {
      facility_names = ["*"]
      log_levels     = ["*"]
      name           = "test-datasource-syslog"
    }
  }
}

# associate to a Data Collection Rule
resource "azurerm_monitor_data_collection_rule_association" "dcra" {
  name                    = "example1-dcra"
  target_resource_id      = azurerm_linux_virtual_machine_scale_set.vmss.id
  data_collection_rule_id = azurerm_monitor_data_collection_rule.example.id
  description             = "example"
}

Results:

When I go into the Logs section in my VMSS, I get the screen asking if I want to enable so I know it's not working. When I click Enable, I can see my Data Collection Rule was created properly and if I just wanted to configure. I'm not sure what I am missing on my terraform side.

Answer 1

I tried below code to create log analytics in VMSS:

source "azurerm_virtual_machine_scale_set_extension" "example" {
  name                         = "LogAnalytics"
  virtual_machine_scale_set_id = "${azurerm_linux_virtual_machine_scale_set.example.id}"
  publisher                    = "Microsoft.EnterpriseCloud.Monitoring"
  type                         = "OmsAgentForLinux"
  type_handler_version         = "1.13"
  auto_upgrade_minor_version  = true
  protected_settings = jsonencode({
    workspaceId  = "${azurerm_log_analytics_workspace.example.workspace_id}"
    workspaceKey = "${azurerm_log_analytics_workspace.example.primary_shared_key}"
  })
    settings = jsonencode({
    "workspaceId"               = "${azurerm_log_analytics_workspace.example.workspace_id}",
    "stopOnMultipleConnections" = false
  })

   depends_on = [
        azurerm_linux_virtual_machine_scale_set.example
      ]
}


resource "azurerm_log_analytics_workspace" "example" {
  name                = "examplekalog-analytics"
 location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
}
  
#rest of code

This created workspace but did not enable logs

Tried to Include: data_sources with syslog to enable logs in resource "azurerm_monitor_data_collection_rule" as you did

data_sources {
    syslog {
      facility_names = ["*"]
      log_levels     = ["*"]
      name           = "test-datasource-syslog"
    }
   
  }

Code:

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "internal"
  resource_group_name = data.azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
}

resource "azurerm_linux_virtual_machine_scale_set" "example" {
  name                = "example"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  sku                 = "Standard_F2"
  admin_username      = "adminuser"
  admin_password = "Passwrd@12!"
  disable_password_authentication = false
  instances           = 1

  os_disk {
    storage_account_type = "Standard_LRS"
    caching              = "ReadWrite"
  }

   source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  }

  network_interface {
    name    = "example"
    primary = true

    ip_configuration {
      name      = "internal"
      primary   = true
      subnet_id = azurerm_subnet.example.id
    }
}
}

resource "azurerm_virtual_machine_scale_set_extension" "example" {
  name                         = "LogAnalytics"
  virtual_machine_scale_set_id = "${azurerm_linux_virtual_machine_scale_set.example.id}"
  publisher                    = "Microsoft.EnterpriseCloud.Monitoring"
  type                         = "OmsAgentForLinux"
  type_handler_version         = "1.13"
  auto_upgrade_minor_version  = true
  protected_settings = jsonencode({
    workspaceId  = "${azurerm_log_analytics_workspace.example.workspace_id}"
    workspaceKey = "${azurerm_log_analytics_workspace.example.primary_shared_key}"
  })
    settings = jsonencode({
    "workspaceId"               = "${azurerm_log_analytics_workspace.example.workspace_id}",
    "stopOnMultipleConnections" = false
  })

   depends_on = [
        azurerm_linux_virtual_machine_scale_set.example
      ]
}


resource "azurerm_log_analytics_workspace" "example" {
  name                = "examplekalog-analytics"
 location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
}

resource "azurerm_log_analytics_solution" "vminsights" {
  solution_name         = "vminsights"
   location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  workspace_resource_id = azurerm_log_analytics_workspace.example.id
  workspace_name        = azurerm_log_analytics_workspace.example.name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/VMInsights"
  }
}
resource "azurerm_virtual_machine_scale_set_extension" "vmss_ext_mma" {
  virtual_machine_scale_set_id = "${azurerm_linux_virtual_machine_scale_set.example.id}"
  auto_upgrade_minor_version   = true
  name                         = "MicrosoftMonitoringAgent"
  publisher                    = "Microsoft.EnterpriseCloud.Monitoring"
  type                         = "MicrosoftMonitoringAgent"
  type_handler_version         = "1.0"
   provision_after_extensions = [azurerm_virtual_machine_scale_set_extension.example.name]
  protected_settings = jsonencode({
    "workspaceKey" = "${azurerm_log_analytics_workspace.example.primary_shared_key}"
  })

  settings = jsonencode({
    "workspaceId"               = "${azurerm_log_analytics_workspace.example.workspace_id}",
    "stopOnMultipleConnections" = true
  })
}



resource "azurerm_monitor_data_collection_rule" "example" {
  name                = "kaexample-dcr"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location

  
  destinations {
    log_analytics {
      workspace_resource_id = azurerm_log_analytics_workspace.example.id
      name                  = "destination-log"
    }

    azure_monitor_metrics {
      name = "test-destination-metrics"
    }
  }
  
  
  data_flow {
    streams      = ["Microsoft-InsightsMetrics", "Microsoft-Event", "Microsoft-Syslog"]
    destinations = ["example-destination-metrics"]
  }
data_sources {
    syslog {
      facility_names = ["*"]
      log_levels     = ["*"]
      name           = "test-datasource-syslog"
    }
 
        performance_counter {
          streams                       = ["Microsoft-InsightsMetrics"]
          sampling_frequency_in_seconds = 60
          counter_specifiers            = ["\\VmInsights\\DetailedMetrics"]
          name                          = "VMInsightsPerfCounters"
        }
    }
}

resource "azurerm_virtual_machine_scale_set_extension" "AzureMonitorLinuxAgent" {
      name                         = "AzureMonitorLinuxAgent"
      publisher                    = "Microsoft.Azure.Monitor"
      type                         = "AzureMonitorLinuxAgent"
      type_handler_version         = "1.10"
      auto_upgrade_minor_version   = true
      virtual_machine_scale_set_id = azurerm_linux_virtual_machine_scale_set.example.id
    
      depends_on = [
        azurerm_linux_virtual_machine_scale_set.example
      ]
    }


resource "azurerm_monitor_data_collection_endpoint" "example" {
  name                = "example-dce"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
}

# associate to a Data Collection Rule
resource "azurerm_monitor_data_collection_rule_association" "example1" {
  name                    = "example1-dcra"
  target_resource_id      = azurerm_linux_virtual_machine_scale_set.example.id
  data_collection_rule_id = azurerm_monitor_data_collection_rule.example.id
  description             = "example"
}

# associate to a Data Collection Endpoint
resource "azurerm_monitor_data_collection_rule_association" "example2" {
  target_resource_id          =azurerm_linux_virtual_machine_scale_set.example.id
  data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.example.id
  description                 = "example"
}


resource "azurerm_virtual_machine_scale_set_extension" "vmss_ext_da" {
   virtual_machine_scale_set_id = "${azurerm_linux_virtual_machine_scale_set.example.id}"
  auto_upgrade_minor_version   = true
  name                         = "DependencyAgentWindows"
  publisher                    = "Microsoft.Azure.Monitoring.DependencyAgent"
  type                         = "DependencyAgentWindows"
  type_handler_version         = "9.10"
  provision_after_extensions = [azurerm_virtual_machine_scale_set_extension.vmss_ext_mma.name]
    protected_settings = jsonencode({
    "workspaceKey" = "${azurerm_log_analytics_workspace.example.primary_shared_key}"
  })

  settings = jsonencode({
    "workspaceId"               = "${azurerm_log_analytics_workspace.example.workspace_id}",
    "stopOnMultipleConnections" = true,
    "enableAutomaticUpgrade" = true
  })

  
}

Refer :enable-vm-insights-for-azure-monitor-agent | Microsoft learn

One must also upgrade from free trial and use supported regions.

In my case even if i configure by seleting enable , logs has not created as either there are no logs yet created Aand may take several minutes or its support is limited for VMSS.

Also logs may take few minutes to show .See https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-troubleshoot.

Data collection rules in Azure Monitor - Azure Monitor | Microsoft Learn