Forum Discussion

loadedlouie27's avatar
loadedlouie27
Brass Contributor
Jun 30, 2020

Azure Monitor - LogAnalytics - Delay in sending alerts

Hi all...  I'm currently using log analytics and alerts for our company and implementing monitoring only through Azure Monitor.    I´m experiencing a lot of delay in receiving the alerts from the ...
azure monitor
yalavi's avatar
yalavi
Icon for Microsoft rankMicrosoft
Jul 12, 2020

loadedlouie27 There is a lot of questions, but I'll answer generally.

 

Log alerts is fully GA and we can assist you in these cases via the official support channels. Our documentation is available for assisting getting you started with the different monitoring options.

 

Log alerts works best when looking for data in the log and less well when looking for lack of data (such as heartbeat). Ingestion delay can impact these alerts:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time

This means when this happens, you could experience false alerts or late alerts. 

I would recommend you use metric alerts for those use cases unless you need the power of a log alert custom query.

Saying that we are introducing a new flow this month that should improve accuracy of the alerts and lower the chances of you hitting issues.

 

Log search alerts are stateless by design. We are working on adding stateful log alerts that also resolve.

 

  • loadedlouie27's avatar
    loadedlouie27
    Brass Contributor
    Jul 20, 2020

    yalavihi thank you for your time, 

    If you don't mind I have a few questions, I encounter a major issue, in my opinion,

    using the current solution, and I would like to know if they are gonna be addressed,
    or if they are out of the scope for the current road map. 

     

    Are you guys thinking about making the alerts fired being grouped?

    This is one of the major issues I currently see in using the Solution. 

    What I mean is: I have the same alert been checked every 5 minutes, and if it triggered, the alert just keeps on repeating itself and having like 2000 alerts for the same threshold/rule, its kind of a killer, for using the tool correctly, in my opinion. 

    If you go asleep at night, you might wake up the next morning, for a rule that has created 2000 alerts in 8 hours, and have to close the alerts "by hand".

    What I'm suggesting its something a bit kind of Azure Sentinel grouping. 

    Is the "Alert Console" going to be reworked, or allow further customization?

     

    On the Monitoring Side is there any place i can find a direct match from the tables been monitored? 

    What I mean is:  is there a way I can see where to activate, and what,
    in order to get data into a given table in log analytics? 

     

    Thanks in advance, and I'm sorry for my questions, they may be seen a bit noobish,
    but I think some of the topics are like elephants in the room, at least in some documentations in Microsoft. 

    Or the information is so dispersed, that I have trouble getting it.  

Resources