We are excited to announce the general availability of Azure Monitor Logs’ new set of features, which let you gain more value from your logs at a lower cost. These features were made available in public preview in early 2022 and have already been successfully adopted by a large set of customers, from small companies to very large, complex organizations. The features we’re announcing today provide significant value based on feedback from our preview customers. We’re very happy to introduce them alongside enhanced Azure portal experiences that will help you better manage and control your log data.
These features were developed together with Microsoft Sentinel, to support security analysts and allow access to any data, over any timeframe, and provide the most comprehensive and innovative threat-hunting solution in the market. For more information on new Microsoft Sentinel announcements, see the Sentinel article.
Cost-effective solution for high-volume verbose logs
Basic Logs is a new flavor of logs that enables a lower-cost collection of high-volume verbose logs that you use for debugging and troubleshooting, but not for analytics and alerts. This data, which might have been historically stored outside of Azure Monitor Logs, can now be available inside your Log Analytics workspace, enabling one solution for all your log data.
We’ve enhanced the Azure Portal and made it easier to set up and consume Basic Logs: you can now use the Table Management blade in your Log Analytics workspace to set the table plan to Basic Logs or back to Analytics, and run search queries on Basic Log tables from the Logs blade.
Log Archive is an in-place solution to store your data for long-term retention of up to seven years at a cost-effective price point. This lets you store all your data in Azure Monitor Logs, without having to manage an external data store for archival purposes, and query or import data in and out of Azure Monitor Logs. You can access archived data by running a search job or restoring it for a limited time for investigation, as detailed below.
We’ve enhanced the Azure Portal experience to support archiving by enabling you to set the archive period per table using the Table Management blade in your Log Analytics workspace.
To enable searching over your expanding data sets, including Basic Logs and archived data, we’re announcing the general availability of a new tool that searches through petabytes of log data: the search job. A search job can run from a few minutes to hours, scanning log data and fetching the relevant records into a new persistent search job results table. The search job results table supports the full set of analytics capabilities to enable further analysis and investigation of these records.
We’ve enhanced the Azure Portal experience to support search jobs by enabling you to run a search job from the Logs blade in your Log Analytics workspace.
Restore is another tool for investigating your archived data. Unlike the search job, which accesses data based on specific criteria, restore makes a given time range of the data in a table available for high-performance queries. Restore is a powerful operation, with a relatively high cost, so it should be used in extreme cases when you need direct access to your archived data with the full interactive range of analytics capabilities.