Retirement of the Log Analytics agent

Sakaldeep Yadav

Feb 18, 2024 • 3 min read

Microsoft has decided to retire the Log Analytics Agent in August 2024. Log Analytics agent is used to collect logs and performance data from Azure Virtual Machine or any machine onboarded to Azure using Azure Arc. Currently, the Log Analytics Agent collects the logs and sends them to the Log Analytics workspace for monitoring the VM and providing security and performance insights.

Going forward, Microsoft do the agentless scanning for virtual machines, and as a result Defender for Servers and Defender for SQL on VM plans will change and redesign. To get Defender for Server security features and capabilities, won't need to depend on the Log Analytics agent anymore. Microsoft Defender for Endpoint single agent will be used to simply the onboarding. More info Prepare for the retirement of the Log Analytics agent.

What is Agentless machine scanning and how it works?

Agentless scanning uses cloud API whereas agent-based scanning uses operating system API to collect security data and logs from virtual machines. Agentless security assessment techniques evaluate the vulnerability and risk without deploying any software agent to the machines that provide benefits like a reduced footprint, improved resource utilization, rapid deployment, simplified management, etc.

Defender for Cloud creates a snapshot of the VM disk to perform the scanning. Below is the architecture diagram from Microsoft Docs.

Below are the official words on how agentless scanning works.

💡

Content from Microsoft Docs: Agentless scanning for VMs uses cloud APIs to collect data. Whereas agent-based methods use operating system APIs in runtime to continuously collect security-related data. Defender for Cloud takes snapshots of VM disks and performs an out-of-band, deep analysis of the operating system configuration and file system stored in the snapshot. The copied snapshot remains in the same region as the VM. The VM isn't affected by the scan. After acquiring the necessary metadata is acquired from the copied disk, Defender for Cloud immediately deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to detect configuration gaps and potential threats. For example, in vulnerability assessment, the analysis is done by Defender Vulnerability Management. The results are displayed in Defender for Cloud, which consolidates both the agent-based and agentless results on the Security alerts page. The scanning environment where disks are analyzed is regional, volatile, isolated, and highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is necessary to collect the metadata, typically a few minutes.

How to enable agentless scanning on Azure

Navigate to Defender for Cloud->Environment Settings->Click on subscription.

Navigate to Defender plans->Servers->Settings.

In the settings pane, turn on the Agentless scanning for machines.

💡

As outlined in the unified vulnerability assessment solution strategy blog, we are unifying all vulnerability assessment solutions in Defender for Cloud to use Microsoft Defender vulnerability management. As part of this change, Effective May 1st, 2024, the built-in Qualys offering within the Defender for Servers plan will be retired. Click here for more information and transition guidelines.

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.