Tutorial: Getting Started with Azure Log Analytics

This tutorial will guide you through the essential steps of using Azure Log Analytics to collect, analyze, and visualize your Azure resource logs. We'll cover setting up a workspace, sending logs, writing basic queries, and visualizing data.

Step 1: Create a Log Analytics Workspace

A Log Analytics workspace is the central repository for your log data. Before you can collect logs, you need to create one.

Prerequisites:

An Azure subscription.

  1. Navigate to the Azure portal.
  2. In the search bar, type "Log Analytics workspaces" and select it from the results.
  3. Click Create.
  4. Fill in the required details:
    • Subscription: Select your Azure subscription.
    • Resource group: Create a new one or select an existing one.
    • Name: A unique name for your workspace.
    • Region: Choose a region close to your resources.
  5. Click Review + create, then Create.

It might take a few minutes for the workspace to be deployed.

Step 2: Enable Log Collection for Azure Resources

Once your workspace is ready, you need to configure your Azure resources to send their logs to it.

For Virtual Machines:

You can use the Log Analytics agent (legacy) or the Azure Monitor Agent (recommended).

  1. Go to your Log Analytics workspace in the Azure portal.
  2. Under Settings, select Agents management.
  3. Click on the VMs tab.
  4. Click Install agent. Follow the instructions to install the agent on your virtual machines and connect them to your workspace.

For Other Azure Services (e.g., App Services, Storage Accounts):

  1. Navigate to the specific Azure resource you want to monitor.
  2. Under Monitoring, select Diagnostic settings.
  3. Click Add diagnostic setting.
  4. Select the log categories you want to collect (e.g., AuditEvent, AzureActivity).
  5. Under Destination details, select Send to Log Analytics workspace and choose your workspace.
  6. Click Save.

Step 3: Write Your First Log Analytics Query

Log Analytics uses the Kusto Query Language (KQL) to query your log data.

Example: View the last 10 security events

Navigate to your Log Analytics workspace, then go to Logs under General.


SecurityEvent
| take 10

This query selects the first 10 rows from the SecurityEvent table. This table contains security-related events collected from your VMs.

Example: Find errors in Azure Activity Logs

The AzureActivity table logs subscription-level events.


AzureActivity
| where Level == "Error"
| project TimeGenerated, Caller, ResourceGroup, ActivityStatus, Properties
| order by TimeGenerated desc

This query filters for events with a Level of "Error", projects specific columns, and orders them by the most recent.

Tip: Explore the Tables pane on the left in the Log Analytics query editor to discover available data schemas.

Step 4: Visualize Your Data

Log Analytics allows you to create charts and dashboards from your query results.

  1. Run a query that returns summary data (e.g., count of events over time).
  2. Above the query results, click the Chart button and select a chart type (e.g., Time chart).
  3. You can then click Pin to dashboard to save the visualization to a dashboard.

This is a basic introduction. Log Analytics offers powerful features like alerting, workbooks for advanced reporting, and integrations with other Azure services.

Learn More About KQL Create Workspace in Portal