AzureDiagnostics table scema not found in LA

%3CLINGO-SUB%20id%3D%22lingo-sub-1320470%22%20slang%3D%22en-US%22%3EAzureDiagnostics%20table%20scema%20not%20found%20in%20LA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320470%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20ingest%20diagnostics%20data%20and%20configure%20alerts%20for%20Loadbalancers%20and%20Application%20gateway.%20Enabled%20diagnostics%20data%20for%20a%20load%20balancer.%20But%20when%20i%20try%20to%20query%20the%20log%2C%20do%20not%20find%20AzureDiagnostics%20table%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ashok42_0-1587366220034.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F185298i4DF0C6313CD41592%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Ashok42_0-1587366220034.png%22%20alt%3D%22Ashok42_0-1587366220034.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1320470%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Monitor%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320572%22%20slang%3D%22en-US%22%3ERe%3A%20AzureDiagnostics%20table%20scema%20not%20found%20in%20LA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320572%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F612787%22%20target%3D%22_blank%22%3E%40Ashok42%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20can%20take%2015min%2B%20for%20the%20first%20log%20to%20appear.%26nbsp%3B%20Do%20you%20have%20read%20only%20or%20greater%20access%2C%20in%20case%20you%20are%20excluded%20from%20that%20table%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320851%22%20slang%3D%22en-US%22%3ERe%3A%20AzureDiagnostics%20table%20scema%20not%20found%20in%20LA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320851%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20quick%20response%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20been%26nbsp%3B%20more%20than%206%20hours%20without%20any%20data%20after%20enabling.%26nbsp%3B%20OK%2C%26nbsp%3Bit%20can%20be%20understandable%20that%20sometimes%20data%20ingestion%20might%20got%20delayed%20with%20different%20reasons.%20But%20i%20wonder%20why%20the%20'AzureDiagnostics'%20table%20doesn't%20exist%20at%20all%20%3F%20Schema%20table%20for%20'AzureDiagnostics'%20should%20atleast%20exist%20with%20zero%20data%20by%20default%2Cright%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1321228%22%20slang%3D%22en-US%22%3ERe%3A%20AzureDiagnostics%20Schema%20table%20not%20found%20in%20LA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1321228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20contributor%20access%20on%20both%20subscription%20and%20LA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1321898%22%20slang%3D%22en-US%22%3ERe%3A%20AzureDiagnostics%20Schema%20table%20not%20found%20in%20LA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1321898%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F612787%22%20target%3D%22_blank%22%3E%40Ashok42%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20it%20possible%20there%20is%20a%20RBAC%20rule%20that%20prevents%20you%20seeing%20that%20Table%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Ftable-level-rbac-in-azure-sentinel%2Fba-p%2F965043%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Ftable-level-rbac-in-azure-sentinel%2Fba-p%2F965043%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20made%20sure%20the%20data%20is%20ticked%20and%20its%20going%20to%20the%20workspace%20you%20think%3F%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-04-20%20164833.jpg%22%20style%3D%22width%3A%20673px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F185389iAFEBC9777676F952%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-04-20%20164833.jpg%22%20alt%3D%22Annotation%202020-04-20%20164833.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20the%20resource%20active%20and%20running%20so%20that%20it%20will%20generated%20log%20data%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1330948%22%20slang%3D%22en-US%22%3ERe%3A%20AzureDiagnostics%20Schema%20table%20not%20found%20in%20LA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1330948%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20no%20granualar%20controls%20configured%20in%20RBAC%20on%20table%20level.%20In%20fact%2C%20this%20is%20a%20new%20environment%20and%20i%20am%20only%20admin%20who%20is%20working%20on%20it.%20Actually%20we%20are%20facing%20this%20problem%20only%20loadbalancer%20service.%20Tried%20to%20enable%20diagnostics%20settings%20for%20Recovery%20service%20vault%20and%20the%20data%20is%20showing%20up%20in%20LA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ashok42_1-1587611208693.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186044iB0F1EC0E8B88936B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Ashok42_1-1587611208693.png%22%20alt%3D%22Ashok42_1-1587611208693.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20repro%20this%20issue%2C%20i%20have%20created%20free%20subscription%20and%20created%20required%20resources%20(basic%20Load%20balancer%2C%20RSV%2C%20LA%20workspace%20and%20few%20VMs).%20Tried%20enabling%20the%20data%20using%20using%20Portal%20and%20Powershell.%3C%2FP%3E%3CP%3EStill%20no%20luck%20and%20don't%20see%20any%20data%20for%20LB.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%24workspace%3DGet-AzOperationalInsightsWorkspace%20-ResourceGroupName%20rg123%20-Name%20ashtstoms%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CEM%3ESet-AzDiagnosticSetting%20-ResourceId%20%2Fsubscriptions%2Fa5f28804-de0c-4fa3-b976-deeb9b261faa%2FresourceGroups%2FRG123%2Fproviders%2FMicrosoft.Network%2FloadBalancers%2Fashlb%20-Enabled%20%24true%20-WorkspaceId%20(%24workspace.ResourceId)%20-Name%20testdiag%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ashok42_0-1587611032208.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186043iD2D5F40C2067AE28%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Ashok42_0-1587611032208.png%22%20alt%3D%22Ashok42_0-1587611032208.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Eps%3A%20ready%20to%20provide%20guest%20access%20on%20my%20Free%20subscription.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1398505%22%20slang%3D%22en-US%22%3ERe%3A%20AzureDiagnostics%20Schema%20table%20not%20found%20in%20LA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F612787%22%20target%3D%22_blank%22%3E%40Ashok42%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20per%20the%20microsoft%20support%20update%2C%20it's%20an%20expected%20behavior.%20Microsoft%20stopped%20supporting%20to%26nbsp%3B%20ingesting%20diagnostics%20logs%20for%20a%20internal%20load%20balancer%20(basic%20or%20standard)%20to%20Log%20Analytics.%20Only%20basic%20public%20LB%20is%20allowed%20to%20send%20diagnostic%20logs%20to%20LA.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Trying to ingest diagnostics data and configure alerts for Loadbalancers and Application gateway. Enabled diagnostics data for a load balancer. But when i try to query the log, do not find AzureDiagnostics table at all.

 

Ashok42_0-1587366220034.png

 

6 Replies
Highlighted

@Ashok42 

 

It can take 15min+ for the first log to appear.  Do you have read only or greater access, in case you are excluded from that table?

 

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access 

Highlighted

Thanks for the quick response @Clive Watson 

Its been  more than 6 hours without any data after enabling.  OK, it can be understandable that sometimes data ingestion might got delayed with different reasons. But i wonder why the 'AzureDiagnostics' table doesn't exist at all ? Schema table for 'AzureDiagnostics' should atleast exist with zero data by default,right?

Highlighted

@Clive Watson 

 

I have contributor access on both subscription and LA.

Highlighted

@Ashok42 

Is it possible there is a RBAC rule that prevents you seeing that Table? https://techcommunity.microsoft.com/t5/azure-sentinel/table-level-rbac-in-azure-sentinel/ba-p/965043

Have you made sure the data is ticked and its going to the workspace you think?

Annotation 2020-04-20 164833.jpg

 

Is the resource active and running so that it will generated log data?

Highlighted

@Clive Watson 

There are no granualar controls configured in RBAC on table level. In fact, this is a new environment and i am only admin who is working on it. Actually we are facing this problem only loadbalancer service. Tried to enable diagnostics settings for Recovery service vault and the data is showing up in LA.

 

Ashok42_1-1587611208693.png

 

To repro this issue, i have created free subscription and created required resources (basic Load balancer, RSV, LA workspace and few VMs). Tried enabling the data using using Portal and Powershell.

Still no luck and don't see any data for LB.

 

$workspace=Get-AzOperationalInsightsWorkspace -ResourceGroupName rg123 -Name ashtstoms


Set-AzDiagnosticSetting -ResourceId /subscriptions/a5f28804-de0c-4fa3-b976-deeb9b261faa/resourceGroups/RG123/providers/Microsoft.Network/loadBalancers/ashlb -Enabled $true -WorkspaceId ($workspace.ResourceId) -Name testdiag

 

Ashok42_0-1587611032208.png

ps: ready to provide guest access on my Free subscription.

Highlighted

@Ashok42 

 

As per the microsoft support update, it's an expected behavior. Microsoft stopped supporting to  ingesting diagnostics logs for a internal load balancer (basic or standard) to Log Analytics. Only basic public LB is allowed to send diagnostic logs to LA.