Professional Documents
Culture Documents
Analyze Your Azure Infrastructure by Using Azure Monitor Logs
Analyze Your Azure Infrastructure by Using Azure Monitor Logs
10 minutes
Azure Monitor is a service for collecting and analyzing telemetry. It helps you get maximum
performance and availability for your cloud applications, and for your on-premises resources and
applications. It shows how your applications are performing and identifies any issues with them.
The following diagram gives a high-level view of Azure Monitor. On the left are the sources of
monitoring data: Azure, operating systems, and custom sources. At the center of the diagram are
the data stores for metrics and logs. On the right are the functions that Azure Monitor performs
with this collected data, such as analysis, alerting, and streaming to external systems.
Azure Monitor collects data automatically from a range of components. For example:
Because Azure Monitor is an automatic system, it begins to collect data from these sources as
soon as you create Azure resources such as virtual machines and web apps. You can extend the
data that Azure Monitor collects by:
Enabling diagnostics: For some resources, such as Azure SQL Database, you
receive full information about a resource only after you have enabled diagnostic
logging for it. You can use the Azure portal, the Azure CLI, or PowerShell to
enable diagnostics.
Adding an agent: For virtual machines, you can install the Log Analytics agent
and configure it to send data to a Log Analytics workspace. This agent increases
the amount of information that's sent to Azure Monitor.
Your developers might also want to send data to Azure Monitor from custom code, such as a
web app, an Azure function, or a mobile app. They send data by calling the Data Collector API.
You communicate with this REST interface through HTTP. This interface is compatible with a
variety of development frameworks, such as .NET Framework, Node.js, and Python. Developers
can choose their favorite language and framework to log data in Azure Monitor.
Logs
Logs contain time-stamped information about changes made to resources. The type of
information recorded varies by log source. The log data is organized into records, with different
sets of properties for each type of record. The logs can include numeric values such as Azure
Monitor metrics, but most include text data rather than numeric values.
The most common type of log entry records an event. Events can occur sporadically rather than
at fixed intervals or according to a schedule. Events are created by applications and services,
which provide the context for the events. You can store metric data in logs to combine them with
other monitoring data for analysis.
You log data from Azure Monitor in a Log Analytics workspace. Azure provides an analysis
engine and a rich query language. The logs show the context of any problems and are useful for
identifying root causes.
Metrics
Metrics are numerical values that describe some aspect of a system at a point in time. Azure
Monitor can capture metrics in near real time. The metrics are collected at regular intervals and
are useful for alerting because of their frequent sampling. You can use a variety of algorithms to
compare a metric to other metrics and observe trends over time.
Metrics are stored in a time-series database. This data store is most effective for analyzing time-
stamped data. Metrics are suited for alerting and fast detection of issues. They can tell you about
system performance. If needed, you can combine them with logs to identify the root cause of
issues.
Analyzing logs by using Kusto
To retrieve, consolidate, and analyze data, you specify a query to run in Azure Monitor logs. You
write a log query with the Kusto query language, which is also used by Azure Data Explorer.
Log queries can be tested in the Azure portal so you can work with them interactively. You
typically start with basic queries and then progress to more advanced functions as your
requirements become more complex.
In the Azure portal, you can create custom dashboards, which are targeted displays of resources
and data. Each dashboard is built from a set of tiles. Each tile might show a set of resources, a
chart, a table of data, or some custom text. Azure Monitor provides tiles that you can add to
dashboards. For example, you might use a tile to display the results of a Kusto query in a
dashboard.
In the example scenario, the operations team can consolidate its data by visualizing monitoring
data such as charts and tables. These tools are effective for summarizing data and presenting it to
different audiences.
By using Azure dashboards, you can combine various kinds of data, including both logs and
metrics, into a single pane in the Azure portal. For example, you might want to create a
dashboard that combines tiles that show a graph of metrics, a table of activity logs, charts from
Azure Monitor, and the output of a log query.
Data from a variety of sources, such as the application event log, the operating system
(Windows and Linux), Azure resources, and custom data sources
Azure billing details
Backups of database transaction logs
2.
You use Azure Monitor log queries to extract information from log data. Querying is an
important part of examining the log data that Azure Monitor captures.
In the example scenario, the operations team will use Azure Monitor log queries to
examine the health of its system.
You see the Azure Monitor page and more options, including Activity
Log, Alerts, Metrics, and Logs.
The syntax of a tabular expression statement has a tabular data flow from one tabular
query operator to another, starting with a data source. A data source might be a table in
a database, or an operator that produces data. The data then flows through a set of data
transformation operators that are bound together with the pipe ( |) delimiter.
For example, the following Kusto query has a single tabular expression statement. The
statement starts with a reference to a table called Events. The database that hosts this
table is implicit here, and is part of the connection information. The data for that table,
stored in rows, is filtered by the value of the StartTime column. The data is filtered
further by the value of the State column. The query then returns the count of the
resulting rows.
KustoCopy
Events
| where StartTime >= datetime(2018-11-01) and StartTime < datetime(2018-12-01)
| where State == "FLORIDA"
| count
Note
The Kusto query language that Azure Monitor uses is case-sensitive. Language keywords
are typically written in lowercase. When you're using names of tables or columns in a
query, make sure to use the correct case.
Events, captured from the event logs of monitored computers, are just one type of data
source. Azure Monitor provides many other types of data sources. For example,
the Heartbeat data source reports the health of all computers that report to your Log
Analytics workspace. You can also capture data from performance counters, and update
management records.
The following example retrieves the most recent heartbeat record for each computer.
The computer is identified by its IP address. In this example, the summarize aggregation
with the arg_max function returns the record with the most recent value for each IP
address.
KustoCopy
Heartbeat
| summarize arg_max(TimeGenerated, *) by ComputerIP
Activate sandbox
The operations team doesn't currently have enough information about the behavior of
its systems to diagnose and resolve problems effectively. To address this issue, the team
has configured an Azure Monitor workspace with the company's Azure services. It will
run Kusto queries to get the status of the system, and attempt to identify the causes of
any problems that might occur.
In particular, the team is interested in monitoring security events to check for possible
attempts to break into the system. An attacker might try to manipulate the applications
running on the system, so the team also wants to gather application data for further
analysis. An attacker might also try to halt the computers that compose the system, so
the team wants to examine how and when machines are stopped and restarted.
In this exercise, you'll practice performing Azure Monitor log queries. You'll use a
demonstration set of data.
1. In your browser, open the Azure Monitor Demo Logs pane in the Azure
portal.
2. Enter a basic query in the Type your query here box. The example query
retrieves the details of the most recent 10 security events.
KustoCopy
SecurityEvent
| take 10
3. Select Run to execute the query and see the results. You can view each row
in the results to get more information.
4. Sort the data by time, by running the following query.
KustoCopy
SecurityEvent
| top 10 by TimeGenerated
5. Enter a query by using a filter clause and a time range. This query fetches
records that are more than 30 minutes old and that have a level of 10 or
more.
KustoCopy
SecurityEvent
| where TimeGenerated < ago(30m)
| where toint(Level) >= 10
KustoCopy
Event
| where EventLog == "Application"
| where TimeGenerated > ago(24h)
7. Run the following query. This query displays the number of different
computers that generated heartbeat events each week, for the last three
weeks. The results are displayed as a bar chart.
KustoCopy
Heartbeat
| where TimeGenerated >= startofweek(ago(21d))
| summarize dcount(Computer) by endofweek(TimeGenerated) | render
barchart kind=default
In addition to writing queries from scratch, the operations team can also take advantage
of predefined example queries in Azure Monitor Logs that answer common questions
related to the health, availability, usage and performance of their resources. Use
the Time Range parameter above the query editor to select Last 24 hours as the time
period of concern. Navigate to the Queries tab in the left pane to view a list of the
sample queries grouped by Category, Resource Type, Solution or Topic.
Summary
2 minutes
In this module, you learned how to use Azure Monitor. You looked at Azure Monitor
logs to extract valuable information about your infrastructure from log data by using
queries. You performed these queries by using the Kusto query language.
You can now use Azure Monitor to analyze your environment and troubleshoot issues.
Learn more
For more information about Azure Monitor, see the following articles: