Monitor Azure Logs - MSDN Tutorials

Monitoring Azure Logs

This tutorial will guide you through the process of monitoring logs generated by your Azure resources. Effective log monitoring is crucial for troubleshooting, security analysis, and understanding the operational health of your applications and services.

Prerequisites:

An active Azure subscription.
An Azure resource (e.g., Virtual Machine, App Service) for which you want to monitor logs.

Understanding Azure Monitor Logs

Azure Monitor provides a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Log data is a key part of this telemetry.

Key Components:

Log Analytics Workspace: A central repository for storing and querying log data.
Diagnostic Settings: Configuration on Azure resources to send logs and metrics to Log Analytics, Storage Accounts, or Event Hubs.
Azure Monitor Logs (Log Analytics): The service that enables you to query and analyze your log data using Kusto Query Language (KQL).

Configuring Diagnostic Settings

To start collecting logs, you need to configure diagnostic settings for your Azure resources.

Steps:

Navigate to your Azure resource in the Azure portal.
In the left-hand menu, under "Monitoring," select "Diagnostic settings."
Click "Add diagnostic setting."
Select the log categories you want to collect (e.g., `AllLogs`, `AuditEvent`, `HTTPProxy`).
Under "Destination details," choose "Send to Log Analytics workspace" and select your target workspace.
Click "Save."

Once configured, logs will start flowing to your selected Log Analytics workspace.

Querying Logs with Kusto Query Language (KQL)

Kusto Query Language (KQL) is used to query data in Log Analytics. Here are some basic examples:

Example 1: View the last 100 security events

            SecurityEvent

            | take 100

Example 2: View all Azure Activity Logs from the last 24 hours

            AzureActivity

            | where TimeGenerated > ago(24h)

            | project TimeGenerated, OperationName, ResourceGroup, Caller, Status

Example 3: Count successful web server requests

            AzureDiagnostics

            | where ResourceProvider == "MICROSOFT.WEB"

            | where Category == "AppServiceHTTPLogs"

            | where HttpStatus >= 200 and HttpStatus < 300

            | summarize count() by bin(TimeGenerated, 5m)

You can explore more KQL queries and advanced functionalities in the KQL documentation.

Visualizing Log Data

Azure Monitor allows you to visualize your log data using charts and dashboards.

Charts: Directly create charts from your KQL queries in Log Analytics.
Workbooks: Create rich interactive reports by combining text, KQL queries, metrics, and parameters.
Dashboards: Pin charts and query results to Azure Dashboards for a high-level overview.

Alerting on Log Data

Set up alerts to notify you when specific conditions are met based on your log data. This is essential for proactive incident response.

Go to "Alerts" in Azure Monitor.
Click "New alert rule."
Select your subscription and resource group.
Configure the "Condition" using a log search query.
Define "Actions" to be taken (e.g., send an email, trigger an Azure Function).
Complete the alert rule details and create it.