How to Use Azure Monitor with Windows Server 2016
Azure Monitor is Microsoft’s unified monitoring service that collects, analyzes, and acts on telemetry from both Azure resources and on-premises infrastructure. For Windows Server 2016, Azure Monitor works through the Azure Monitor Agent (AMA) or the legacy Log Analytics Agent (MMA), which forwards Windows Event Logs, performance counters, and custom logs to Azure Log Analytics workspaces and Azure Metrics. This enables centralized monitoring, cross-server correlation, alerting, and workbooks—all accessible from the Azure Portal without requiring an on-premises monitoring server.
This guide covers installing the Azure Monitor Agent on Windows Server 2016, creating a Data Collection Rule, querying collected data in Log Analytics, and configuring metric alerts.
Prerequisites
An Azure subscription with a Log Analytics workspace created. The Windows Server 2016 machine must be Azure Arc-enabled (for non-Azure servers) or be an Azure VM. Network access from the server to *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and management.azure.com on port 443 is required.
Step 1: Onboard Windows Server 2016 to Azure Arc
For on-premises Windows Server 2016, install the Azure Connected Machine agent to register it with Azure Arc. Download the onboarding script from the Azure Portal under Azure Arc > Servers > Add. Run the generated script on the server:
.OnboardingScript.ps1After onboarding, the server appears in Azure Arc > Servers with a Connected status. This enables Azure management capabilities including Azure Monitor Agent deployment via extension.
Step 2: Create a Log Analytics Workspace
If you do not have a Log Analytics workspace, create one via the Azure Portal or CLI:
az monitor log-analytics workspace create
--resource-group MonitoringRG
--workspace-name WS2016-Logs
--location eastus
--sku PerGB2018Step 3: Install the Azure Monitor Agent via Extension
For Arc-enabled on-premises servers, install the Azure Monitor Agent as an Arc extension via the Azure Portal: navigate to the Arc-enabled server, select Extensions, and add the AzureMonitorWindowsAgent extension.
Via PowerShell with the Az module:
New-AzConnectedMachineExtension `
-ResourceGroupName "MonitoringRG" `
-MachineName "WS2016-01" `
-Name "AzureMonitorWindowsAgent" `
-Location "eastus" `
-Publisher "Microsoft.Azure.Monitor" `
-ExtensionType "AzureMonitorWindowsAgent" `
-TypeHandlerVersion "1.2"Step 4: Create a Data Collection Rule (DCR)
Data Collection Rules define what data to collect and where to send it. In the Azure Portal, navigate to Azure Monitor > Data Collection Rules > Create. Provide a name and select your region. Under Resources, associate the rule with your Arc-enabled Windows Server 2016. Under Collect and Deliver, add data sources:
Add Windows Event Logs: select System, Application, and Security log levels (at minimum, Critical and Error). Add Performance Counters: add Processor% Processor Time, MemoryAvailable MBytes, LogicalDiskDisk Reads/sec, and LogicalDiskDisk Writes/sec at a 60-second sample rate. Set the destination to your Log Analytics workspace.
Create the DCR via CLI:
az monitor data-collection rule create
--resource-group MonitoringRG
--name WS2016-DCR
--location eastus
--data-flows "[{"streams":["Microsoft-Event","Microsoft-Perf"],"destinations":["ws2016logs"]}]"
--destinations "{"logAnalytics":[{"workspaceResourceId":"/subscriptions/{sub-id}/resourceGroups/MonitoringRG/providers/Microsoft.OperationalInsights/workspaces/WS2016-Logs","name":"ws2016logs"}]}"Step 5: Query Data in Log Analytics
After the agent and DCR are active, data begins flowing to Log Analytics within a few minutes. Open the Log Analytics workspace in the Azure Portal and click Logs. Use Kusto Query Language (KQL) to query the data.
Query recent critical Windows events:
Event
| where TimeGenerated > ago(24h)
| where EventLevelName == "Error" or EventLevelName == "Critical"
| where Computer == "WS2016-01"
| project TimeGenerated, EventLog, EventID, RenderedDescription
| order by TimeGenerated descQuery CPU performance over time:
Perf
| where TimeGenerated > ago(24h)
| where Computer == "WS2016-01"
| where ObjectName == "Processor" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize avg(CounterValue) by bin(TimeGenerated, 5m)
| render timechartStep 6: Configure Azure Monitor Alerts
Create metric or log-based alert rules in Azure Monitor. For a high-CPU alert based on Log Analytics query:
az monitor scheduled-query create
--resource-group MonitoringRG
--name HighCPUAlert-WS2016
--scopes /subscriptions/{sub-id}/resourceGroups/MonitoringRG/providers/Microsoft.OperationalInsights/workspaces/WS2016-Logs
--condition "count > 0"
--condition-query "Perf | where Computer == 'WS2016-01' and CounterName == '% Processor Time' and CounterValue > 90"
--evaluation-frequency 5m
--window-size 5m
--severity 2
--action /subscriptions/{sub-id}/resourceGroups/MonitoringRG/providers/microsoft.insights/actionGroups/EmailAdminsStep 7: Create an Azure Monitor Workbook
Workbooks are interactive dashboards in Azure Monitor. Navigate to Azure Monitor > Workbooks > New. Add tiles using KQL queries for CPU, memory, disk, and event summaries. Pin the workbook to the Azure Portal dashboard for a centralized operations view covering all monitored Windows Server 2016 instances.
Best Practices
Use the Azure Monitor Agent (AMA) for new deployments rather than the legacy MMA, as MMA will be retired. Restrict Log Analytics workspace access using Azure RBAC to prevent unauthorized data access. Set workspace data retention according to compliance requirements—the default 30 days may be insufficient for security or audit purposes. Use Azure Sentinel for SIEM integration if security event correlation across multiple servers is required. Combine Azure Monitor with on-premises tools like Zabbix or SCOM for a layered hybrid observability strategy.
