APIM ApiManagementGatewayLogs
Hi! I have published couple of APIs through APIM. Now I try to read some diagnostic logs. While I choose APIM -> Logs -> API Management services -> ApiManagementGatewayLogs -> preview data or fire query: ApiManagementGatewayLogs | where TimeGenerated > ago(24h) | limit 10 I got 'where' operator: Failed to resolve table or column expression named 'ApiManagementGatewayLogs' If issue persists, please open a support ticket. What I'm doing wrong? Thanks, Jani
Audit user accessing entreprise App by SPN sign-in
I'm in a Hybrid Entra ID environment. Some users can use an "Entreprise Application" by utilizing IDs and a certificate. In the activity or sign-in logs, I can find the access entries, but I don't have the information on which user used the app registration or which certificate was used. I would like to have logs that allow me to identify WHO is using an SPN/App registration. Do you have any ideas? Thank you. Here an example: In this screenshot, I can see access made to an app using, for example, an appid+secret/certificate connection. So, it’s "logical" not to see a username since it's not required for this type of connection. However, I would really like to have this information or some indicator to identify which of my users accessed it. Currently, I only have the machine's IP address, but I would like more information. Maybe in Purview or with another service, but I haven't found anything.Can I use regex in a DCR custom text logfile filepath?
Hi, I have about 50 servers attached to a DCR to collect a custom text log into a log analytics workspace custom table. Is it possible or if anyone has experience with using a regex filepath in the DCR situation? The logs are in the same format but paths differs slightly on each servers. There are two structures, but includes the servernames so we have 50 different filepaths: App Server c:\appserver\logs\<server Fully Qualified Name>\server\*.log App Portal c:\appportal\logs\<server Fully Qualified Name>\portal\*.log When I use static paths it works (there's a limit of 20 by the way). I have tried using the following regex filepath nothing comes in: c:\app(server|portal)\logs\SYS[a-zA-Z0-9]{4}wm[0-9]{2}.domain.net\(server|portal)\*.log Can someone confirm with me whether I can use regex in the filepath pattern in the DCR Data Source Tex log setup? If so, how do I get it to work please? Am I missing some escapes somewhere please? Many thanks in advance.
how to parse logs in DCR if RawMessage is in JSON
Dear Fellow Members, I am going through the tutorial on ingesting logs through the Azure Log Ingestion API. At the moment I am at the point where I need to create a DCR for ingesting the logs. I managed to upload the sample logs, and now I would have to set up the schema/transformation rules for the log ingestion. Now my problem is that the RawMessage part of the ingested logs is basically a JSON document: [ { "RawData": "{\"SourceName\":\"Microsoft-Windows-DNSServer\",\"ProviderGuid\":\"{EB79061A-A566-4698-9119-3ED2807060E7}\",\"EventID\":256,\"Version\":0,\"ChannelID\":16,\"Channel\":\"Microsoft-Windows-DNS-Server/Analytical \",\"LevelValue\":4,\"Level\":\"Information \",\"OpcodeValue\":0,\"TaskValue\":1,\"Category\":\"LOOK_UP \",\"Keywords\":\"9223372036854775809\",\"EventTime\":\"2023-04-13T10:22:14.043901+02:00\",\"ExecutionProcessID\":6624,\"ExecutionThreadID\":4708,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"Hostname\":\"windns\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Flags\":\"256\",\"TCP\":\"0\",\"InterfaceIP\":\"172.18.88.20\",\"Source\":\"172.18.88.20\",\"RD\":\"1\",\"QNAME\":\"v10.events.data.microsoft.com.\",\"QTYPE\":\"1\",\"XID\":\"21030\",\"Port\":\"59130\",\"ParsedPacketData\":{\"dns.id\":21030,\"dns.flags.recursion_desired\":\"true\",\"dns.flags.truncated_response\":\"false\",\"dns.flags.authoritative\":\"false\",\"dns.opcode\":\"QUERY\",\"dns.flags.query_or_response\":\"false\",\"dns.response.code\":\"NOERROR\",\"dns.flags.checking_disabled\":\"false\",\"dns.flags.authentic_data\":\"false\",\"dns.flags.recursion_available\":\"false\",\"dns.query\":[{\"dns.query.name\":\"v10.events.data.microsoft.com\",\"dns.query.type\":\"A\",\"dns.query.class\":\"IN\"}]},\"PacketData\":\"0x52260100000100000000000003763130066576656E74730464617461096D6963726F736F667403636F6D0000010001\",\"AdditionalInfo\":\".\",\"GUID\":\"{B021826E-78B1-4574-8B19-0FF06408A144}\",\"EventReceivedTime\":\"2023-04-13T10:22:16.140231+02:00\",\"SourceModuleName\":\"in_windowsdns_auditanalytics_sentinel_windows\",\"SourceModuleType\":\"im_etw\",\"HostIP\":\"172.18.88.20\",\"BufferSize\":\"N/A\"}", "Time": "2023-04-19T07:30:08.5953753Z", "Application": "LogGenerator" } ] Now that is already in a structured format which should be reasonably easy to parse. However I haven't seen any examples of doing that. I have only encountered JSON parsing examples where the JSON text was contained in some field, and the result of the parsing would be assinged to a different/new field. In this case the JSON content is filled with key-value pairs that should belong to different fields in the new table. Have any of you encountered a similar situation? If yes, how did you manage to solve it? Is anything like this even possible in a DCR? source | parse RawData as json Thanks, JánosImportant Update: Azure Automation Update Management and Log Analytics Agent Retirement
Important Update: Azure Automation Update Management and Log Analytics Agent Retirement Attention Azure users! This is a critical notice regarding the retirement of two key services: Azure Automation Update Management and the Log Analytics agent. Both will be discontinued on August 31, 2024. To ensure uninterrupted update management for your virtual machines, migrating to Azure Update Manager is essential before the retirement date. Why the Change? Microsoft is streamlining its update management offerings by focusing on Azure Update Manager, a robust solution with several advantages. These include: Simplified onboarding: Azure Update Manager leverages existing Azure features for effortless integration. Enhanced control: Granular access controls allow for precise management of update deployment. Flexible automation: Automatic patching capabilities streamline the update process. Taking Action: Migrate to Azure Update Manager To avoid disruptions after August 31st, migrating to Azure Update Manager is necessary. Microsoft provides a comprehensive guide to facilitate this transition: Move from Automation Update Management to Azure Update Manager https://learn.microsoft.com/en-us/azure/automation/update-management/overview This guide details the migration process, ensuring a smooth transfer to the new platform. Don't wait! Begin the migration process today to ensure your virtual machines receive updates seamlessly after the retirement of Azure Automation Update Management and the Log Analytics agent.
Azure Metric vs Performance counters show different values
Azure Metric vs Performance counters Return values of network traffic are totally off, regardless of time frame between portal, log analytic query perf and InsightsMetrics. See screen off excel. I have open log analytic workspace, select Time range Last 24 hours and one day 26/03/2024 Perf | where TimeGenerated between (datetime(2024-03-26) .. datetime(2024-03-27)) | where Computer == "**********" | where ObjectName == "Network Interface" and CounterName == "Bytes Sent/sec" or CounterName == "Bytes Received/sec" | summarize BytsSent = sum(CounterValue) by bin(TimeGenerated, 1d),CounterName InsightsMetrics | where TimeGenerated between (datetime(2024-03-26) .. datetime(2024-03-27)) | where Origin == "vm.azm.ms" | where Computer == "*******" | where Namespace == "Network" | where Name == "ReadBytesPerSecond" or Name == "WriteBytesPerSecond" | extend Tags = parse_json(Tags) | extend BytestoSec = toreal(Tags.["vm.azm.ms/bytes"]) | sort by TimeGenerated | project TimeGenerated,Name,Val,BytestoSec | summarize AggregatedValue = sum(BytestoSec) by bin(TimeGenerated, 1d),Name I don’t know what im doing wrong or i don't understand . But sample interval in data collection rule is 15s, and sample interval of metric is 60s.
Can I filter what logs need to be sent to my Azure Log Analystic Workspace?
Hello, Is it possible to filter what logs need to be sent to my Azure Log Analystic Workspace? In my case, I am sending all theAuditLogs from Microsoft Entra ID to my Azure Log Analystic Workspace, but my organization is large, I just need a very small group of people's activities to be logged and sent to the workspace. Thank you!Logic Flow name in Azure Log Analytics
dependencies | where type == "Ajax" | where success == "False" | where name has "logicflows" | project timestamp, name, resultCode, duration, type, target, data, operation_Name, appName | order by timestamp desc This KQL query in Azure Application Insights> Azure Log Analytics is used to get errors for logicflows. It returns the data but, I cannot see the logicflow name or ID anywhere. Is there any way to fetch logicflow ID? The azure app insight is registered for a power app, where we are using automate flows to call apis. We need the flow's name in analytics. I tried looking the database, there is no field for logic flow's name or ID. Though when seen in user>sessions, it shows name in requestHeaders.
