Tool Introduction on How to Efficiently Read Azure Storage Diagnostic Logs

Published May 12 2022 05:02 PM 865 Views
Microsoft

Many users choose to enable Storage Diagnostic logs in order to track and audit all success and fail requests for audit, security or troubleshooting purposes. And there are times you may need to analyze the logs to get more insights, for example, to analyze how many requests happening related to different client Ip addresses, containers, etc. As we know, the Diagnostic log (classic) is recorded in hourly manner in a container called $logs. Within this container, there are multiple levels of subfolders. If you have a high volume of log data with multiple files for each hour, it’s quite difficult to combine and view these logs together. This blog introduces two methods to view and analyze the large size of Azure Storage Diagnostic logs.

 

The most efficient way is to enable the diagnostic setting for storage account and save the logs to the Log Analytics Workspaces on Azure. Log Analytics Workspace Overview Create Diagnostic Settings In the Log Analytics Workspaces, you can write queries to retrieve and filter logs based on the rules you set. However, the Log Analytics Workspaces have extra cost. You can check the document for more details about the pricing of Log Analytics Workspaces Log Analytics Workspaces Pricing.

 

Besides the Log Analytics Workspaces, there are two other open-source options for you to choose. Both are free of charge.

Method 1: Azure Storage Log Reader

You can download this tool from this link Download Azure Storage Log Reader

 

This tool allows you to add multiple files once, filter logs and do sorting based on one column. Also, you can export the combined log file to Excel. However, this tool has limitations. You cannot do group-by with this tool. Also, it cannot handle too much data and you can easily encounter throttling errors.

zoeylan_0-1652001407557.png

Method 2: Python Code

To overcome the limitations of the first method introduced above, another method is shared here which can work with more data.

 

Let’s assume that you want to group the requests by client IP address and count the total number of requests coming from each IP address. For the example logs used in this blog, there are 340 log files including more than 7 million records in total. So, it easily results in throttling error when you use Excel or other text editor tools to open it directly. However, by using Python, you can easily loop through all the subfolders, read in all the log files, and do the filtering or other analysis work based on that.

 

Usually, we have much more layers of the folder structure starting from year, month, day, and so on in your storage account. In this case, we only use logs for one day as an example. I have a folder structure like below. The Python code provided is based on this folder structure. The parent folder called “Logs” contains Storage logs for one day.

zoeylan_1-1652001407565.png

 

What the code does is to read all the log files into one table in Python, do some simple filtering and grouping work, and finally save the results as csv files for you.

 

How to run the script:

 

This Python Code provided is written in Jupyter Notebook which is a web-based interactive computing platform for Python. Other Python editor tools are also working if you are familiar with Python already. The easiest way for a beginner to get started with Jupyter Notebooks is by installing Anaconda.

 

Below are steps for starters of Python to run the script:

zoeylan_0-1652161895741.png

 

  • Open the Storage Diagnostic Log Reader.ipynb file.
  • Locate the directory in In[3] and replace it with the absolute path of the log root folder.

zoeylan_2-1652001407572.png

  • Click the "Kernel" and "Restart & Run All" to run the Python code.

zoeylan_1-1652162171464.png

 

How to do basic analysis:

 

The first step in the sample code is to loop through all the subfolders, one subfolder for one hour. Then the code retrieves log files from all the subfolders and saves file names in one table like below.  

zoeylan_3-1652001407611.png

 

At this point, another loop is used to read in all logs from these log files and save them into a huge table in Python. 

zoeylan_4-1652001407620.png

 

Then, you can do a filtering on the data to filter our all the “AppendFile” requests.

 

 

# Filter out "AppendFile" operation only as an example
write = log_df[log_df['<operation-type>'] == 'AppendFile']

 

 

The next step is to count how many “AppendFile” requests are sent from each client IP address.

 

 

# Count the total number of requests based on user-object-id & requester-ip-address
ip = pd.DataFrame(write.groupby(['<requester-ip-address>'])['<operation-type>'].count()).reset_index()

 

 

Since there might be some duplicate records from same requester-ip-address across all the log files, an extra sum up is needed to calculate the total number of requests. 

 

 

# Remove the duplicates and sum up the count
iptable = pd.DataFrame(iptable.groupby(['<requester-ip-address>'])['<operation-type>'].sum()).reset_index()

 

 

Now, you have your analysis result ready, you can save it as a CSV file and open it with Excel on your local machine if you want.

zoeylan_5-1652001407623.png

 

 

# Export as csv files
iptable.to_csv('iptable.csv')

 

 

Additionally, you can also analyze more columns. For example, you want to group requests by "request-url", "user-object-id", and "application-id" at the same time. 

 

 

requesturl = pd.DataFrame(write.groupby(['<request-url>', '<user-object-id>', '<application-id>'])['<operation-type>'].count()).reset_index()

 

 

Then, you need to remove the duplicates and sum them up. 

 

 

requesturltable = pd.DataFrame(requesturltable.groupby(['<request-url>', '<user-object-id>', '<application-id>'])['<operation-type>'].sum()).reset_index()

 

 

With this final result, we can easily tell the write operation was actually separated into multiple parts for upload and we can get the totally number of separated parts.

zoeylan_0-1652175007069.png

 

To sum up, this blog shares two free methods to view the Azure Storage Diagnostic Logs and do simple analysis to help you understand the requests sent to your Storage Account.

 

%3CLINGO-SUB%20id%3D%22lingo-sub-3339389%22%20slang%3D%22en-US%22%3ETool%20Introduction%20on%20How%20to%20Efficiently%20Read%20Azure%20Storage%20Diagnostic%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3339389%22%20slang%3D%22en-US%22%3E%3CP%3EMany%20users%20choose%20to%20enable%20Storage%20Diagnostic%20logs%20in%20order%20to%20track%20and%20audit%20all%20success%20and%20fail%20requests%20for%20audit%2C%20security%20or%20troubleshooting%20purposes.%20And%20there%20are%20times%20you%20may%20need%20to%20analyze%20the%20logs%20to%20get%20more%20insights%2C%20for%20example%2C%20to%20analyze%20how%20many%20requests%20happening%20related%20to%20different%20client%20Ip%20addresses%2C%20containers%2C%20etc.%20As%20we%20know%2C%20the%20Diagnostic%20log%20(classic)%20is%20recorded%20in%20hourly%20manner%20in%20a%20container%20called%20%24logs.%20Within%20this%20container%2C%20there%20are%20multiple%20levels%20of%20subfolders.%20If%20you%20have%20a%20high%20volume%20of%20log%20data%20with%20multiple%20files%20for%20each%20hour%2C%20it%E2%80%99s%20quite%20difficult%20to%20combine%20and%20view%20these%20logs%20together.%20This%20blog%20introduces%20two%20methods%20to%20view%20and%20analyze%20the%20large%20size%20of%20Azure%20Storage%20Diagnostic%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20most%20efficient%20way%20is%20to%20enable%20the%20diagnostic%20setting%20for%20storage%20account%20and%20save%20the%20logs%20to%20the%20Log%20Analytics%20Workspaces%20on%20Azure.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Flog-analytics-workspace-overview%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ELog%20Analytics%20Workspace%20Overview%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Fdiagnostic-settings%3FWT.mc_id%3DPortal-Microsoft_Azure_Monitoring%26amp%3Btabs%3DCMD%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ECreate%20Diagnostic%20Settings%3C%2FA%3E%26nbsp%3BIn%20the%20Log%20Analytics%20Workspaces%2C%20you%20can%20write%20queries%20to%20retrieve%20and%20filter%20logs%20based%20on%20the%20rules%20you%20set.%20However%2C%20the%20Log%20Analytics%20Workspaces%20have%20extra%20cost.%20You%20can%20check%20the%20document%20for%20more%20details%20about%20the%20pricing%20of%20Log%20Analytics%20Workspaces%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fmonitor%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ELog%20Analytics%20Workspaces%20Pricing%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBesides%20the%20Log%20Analytics%20Workspaces%2C%20there%20are%20two%20other%20open-source%20options%20for%20you%20to%20choose.%20Both%20are%20free%20of%20charge.%3C%2FP%3EMethod%201%3A%20Azure%20Storage%20Log%20Reader%3CP%3EYou%20can%20download%20this%20tool%20from%20this%20link%20%3CA%20href%3D%22https%3A%2F%2Fnunogabrielmonteiro.github.io%2FAzureStorageLogReader%2F%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EDownload%20Azure%20Storage%20Log%20Reader%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20tool%20allows%20you%20to%20add%20multiple%20files%20once%2C%20filter%20logs%20and%20do%20sorting%20based%20on%20one%20column.%20Also%2C%20you%20can%20export%20the%20combined%20log%20file%20to%20Excel.%20However%2C%20this%20tool%20has%20limitations.%20You%20cannot%20do%20group-by%20with%20this%20tool.%20Also%2C%20it%20cannot%20handle%20too%20much%20data%20and%20you%20can%20easily%20encounter%20throttling%20errors.%3C%2FP%3E%3CP%3E%3C%2FP%3EMethod%202%3A%20Python%20Code%3CP%3ETo%20overcome%20the%20limitations%20of%20the%20first%20method%20introduced%20above%2C%20another%20method%20is%20shared%20here%20which%20can%20work%20with%20more%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%E2%80%99s%20assume%20that%20you%20want%20to%20group%20the%20requests%20by%20client%20IP%20address%20and%20count%20the%20total%20number%20of%20requests%20coming%20from%20each%20IP%20address.%20For%20the%20example%20logs%20used%20in%20this%20blog%2C%20there%20are%20340%20log%20files%20including%20more%20than%207%20million%20records%20in%20total.%20So%2C%20it%20easily%20results%20in%20throttling%20error%20when%20you%20use%20Excel%20or%20other%20text%20editor%20tools%20to%20open%20it%20directly.%20However%2C%20by%20using%20Python%2C%20you%20can%20easily%20loop%20through%20all%20the%20subfolders%2C%20read%20in%20all%20the%20log%20files%2C%20and%20do%20the%20filtering%20or%20other%20analysis%20work%20based%20on%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsually%2C%20we%20have%20much%20more%20layers%20of%20the%20folder%20structure%20starting%20from%20year%2C%20month%2C%20day%2C%20and%20so%20on%20in%20your%20storage%20account.%20In%20this%20case%2C%20we%20only%20use%20logs%20for%20one%20day%20as%20an%20example.%20I%20have%20a%20folder%20structure%20like%20below.%20The%20Python%20code%20provided%20is%20based%20on%20this%20folder%20structure.%20The%20parent%20folder%20called%20%E2%80%9CLogs%E2%80%9D%20contains%20Storage%20logs%20for%20one%20day.%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20the%20code%20does%20is%20to%20read%20all%20the%20log%20files%20into%20one%20table%20in%20Python%2C%20do%20some%20simple%20filtering%20and%20grouping%20work%2C%20and%20finally%20save%20the%20results%20as%20csv%20files%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20to%20run%20the%20script%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20Python%20Code%20provided%20is%20written%20in%20Jupyter%20Notebook%20which%20is%20a%20web-based%20interactive%20computing%20platform%20for%20Python.%20Other%20Python%20editor%20tools%20are%20also%20working%20if%20you%20are%20familiar%20with%20Python%20already.%20The%20easiest%20way%20for%20a%20beginner%20to%20get%20started%20with%20Jupyter%20Notebooks%20is%20by%20installing%20Anaconda.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20are%20steps%20for%20starters%20of%20Python%20to%20run%20the%20script%3A%3C%2FP%3EInstall%20Anaconda%20and%20complete%20setup%20following%20the%20link.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.dataquest.io%2Fblog%2Fjupyter-notebook-tutorial%2F%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EJupyter%20Notebook%20Tutorial%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.anaconda.com%2F%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EDownload%20Anaconda%3C%2FA%3E%20Download%20the%20Storage%20Diagnostic%20Log%20Reader.ipynb%20file%20from%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fzoeylan%2FAzureStorageLogReaderPython%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EPython%20Sample%20Code%3C%2FA%3E.%20Run%20Jupyter%20Notebook%2C%20and%20upload%20Storage%20Diagnostic%20Log%20Reader.ipynb%20file%20and%20log%20files.%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EOpen%20the%26nbsp%3BStorage%20Diagnostic%20Log%20Reader.ipynb%20file.%20Locate%20the%20directory%20in%20In%5B3%5D%20and%20replace%20it%20with%20the%20absolute%20path%20of%20the%20log%20root%20folder.%3CP%3E%3C%2FP%3EClick%20the%20%22Kernel%22%20and%20%22Restart%20%26amp%3B%20Run%20All%22%20to%20run%20the%20Python%20code.%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20to%20do%20basic%20analysis%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20step%20in%20the%20sample%20code%20is%20to%20loop%20through%20all%20the%20subfolders%2C%20one%20subfolder%20for%20one%20hour.%20Then%20the%20code%20retrieves%20log%20files%20from%20all%20the%20subfolders%20and%20saves%20file%20names%20in%20one%20table%20like%20below.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20this%20point%2C%20another%20loop%20is%20used%20to%20read%20in%20all%20logs%20from%20these%20log%20files%20and%20save%20them%20into%20a%20huge%20table%20in%20Python.%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%2C%20you%20can%20do%20a%20filtering%20on%20the%20data%20to%20filter%20our%20all%20the%20%E2%80%9CAppendFile%E2%80%9D%20requests.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%23%20Filter%20out%20%22AppendFile%22%20operation%20only%20as%20an%20example%20write%20%3D%20log_df%5Blog_df%5B'%3COPERATION-TYPE%3E'%5D%20%3D%3D%20'AppendFile'%5D%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20next%20step%20is%20to%20count%20how%20many%20%E2%80%9CAppendFile%E2%80%9D%20requests%20are%20sent%20from%20each%20client%20IP%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%23%20Count%20the%20total%20number%20of%20requests%20based%20on%20user-object-id%20%26amp%3B%20requester-ip-address%20ip%20%3D%20pd.DataFrame(write.groupby(%5B'%3CREQUESTER-IP-ADDRESS%3E'%5D)%5B'%3COPERATION-TYPE%3E'%5D.count()).reset_index()%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20there%20might%20be%20some%20duplicate%20records%20from%20same%20requester-ip-address%20across%20all%20the%20log%20files%2C%20an%20extra%20sum%20up%20is%20needed%20to%20calculate%20the%20total%20number%20of%20requests.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%23%20Remove%20the%20duplicates%20and%20sum%20up%20the%20count%20iptable%20%3D%20pd.DataFrame(iptable.groupby(%5B'%3CREQUESTER-IP-ADDRESS%3E'%5D)%5B'%3COPERATION-TYPE%3E'%5D.sum()).reset_index()%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20you%20have%20your%20analysis%20result%20ready%2C%20you%20can%20save%20it%20as%20a%20CSV%20file%20and%20open%20it%20with%20Excel%20on%20your%20local%20machine%20if%20you%20want.%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%23%20Export%20as%20csv%20files%20iptable.to_csv('iptable.csv')%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20you%20can%20also%20analyze%20more%20columns.%20For%20example%2C%20you%20want%20to%20group%20requests%20by%20%22request-url%22%2C%20%22user-object-id%22%2C%20and%20%22application-id%22%20at%20the%20same%20time.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3Erequesturl%20%3D%20pd.DataFrame(write.groupby(%5B'%3CREQUEST-URL%3E'%2C%20'%3CUSER-OBJECT-ID%3E'%2C%20'%3CAPPLICATION-ID%3E'%5D)%5B'%3COPERATION-TYPE%3E'%5D.count()).reset_index()%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%2C%20you%20need%20to%20remove%20the%20duplicates%20and%20sum%20them%20up.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3Erequesturltable%20%3D%20pd.DataFrame(requesturltable.groupby(%5B'%3CREQUEST-URL%3E'%2C%20'%3CUSER-OBJECT-ID%3E'%2C%20'%3CAPPLICATION-ID%3E'%5D)%5B'%3COPERATION-TYPE%3E'%5D.sum()).reset_index()%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20this%20final%20result%2C%20we%20can%20easily%20tell%20the%20write%20operation%20was%20actually%20separated%20into%20multiple%20parts%20for%20upload%20and%20we%20can%20get%20the%20totally%20number%20of%20separated%20parts.%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20sum%20up%2C%20this%20blog%20shares%20two%20free%20methods%20to%20view%20the%20Azure%20Storage%20Diagnostic%20Logs%20and%20do%20simple%20analysis%20to%20help%20you%20understand%20the%20requests%20sent%20to%20your%20Storage%20Account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FOPERATION-TYPE%3E%3C%2FAPPLICATION-ID%3E%3C%2FUSER-OBJECT-ID%3E%3C%2FREQUEST-URL%3E%3C%2FOPERATION-TYPE%3E%3C%2FAPPLICATION-ID%3E%3C%2FUSER-OBJECT-ID%3E%3C%2FREQUEST-URL%3E%3C%2FOPERATION-TYPE%3E%3C%2FREQUESTER-IP-ADDRESS%3E%3C%2FOPERATION-TYPE%3E%3C%2FREQUESTER-IP-ADDRESS%3E%3C%2FOPERATION-TYPE%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎May 12 2022 05:01 PM
Updated by: