Diagnostic Logs & settings
10 TopicsAre you getting the most out of your Azure Log Analytics Workspace (LAW) investment?
Using a LAW is a great way to consolidate various types of data (performance, events, security, etc.) and signals from multiple sources. That's the easy part - mining this data for actionable insights is often the real challenge. One way we did this was by surfacing events related to disks across our physical server estate. We were already sending event data to our LAW; it was just a matter of parsing it with KQL and adding to a Power Bi dashboard for additional visibility. The snippet from the Power Bi dashboard shows when the alert was first triggered and when the disk was eventually replaced. Here's the KQL query we came up with. let start_time=ago(30d); let end_time=now(); Event | where TimeGenerated > start_time and TimeGenerated < end_time | where EventLog contains 'System' | where Source contains 'Storage Agents' | where RenderedDescription contains 'Drive Array Physical Drive Status Change' | parse kind=relaxed RenderedDescription with * 'Drive Array Physical Drive Status Change. The ' Drive ' with serial number ""' Serial '"", has a new status of ' Status '. (Drive status values:'* | project Computer, Drive, Serial, Status, TimeGenerated, EventLevelName You can of course set up alerting with Alerts for Azure Monitor. I hope this example helps you get more value from your LAW.14Views1like1CommentHow to Monitor New Management Group Creation and Deletion.
I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel. You can also use it to Monitor the Subscription Creation as well using this Step. By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings" Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant. { "properties": { "workspaceId": "<< replace with workspace resource ID>>", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Policy", "enabled": true } ] } } Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs. //KQL Query to Identify if Management group is deleted AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) //KQL Query to Identify if Management group is Created AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) This log can also be used to monitor the new subscription creation as well, using the below query AzureActivity | where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId) If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert.70Views1like1CommentCan I filter what logs need to be sent to my Azure Log Analystic Workspace?
Hello, Is it possible to filter what logs need to be sent to my Azure Log Analystic Workspace? In my case, I am sending all the AuditLogs from Microsoft Entra ID to my Azure Log Analystic Workspace, but my organization is large, I just need a very small group of people's activities to be logged and sent to the workspace. Thank you!374Views0likes1CommentHow to redirect performance logs to another Azure log analytic workspace
Dear members, I am new to Azure monitor/log analytic workspace and I'm in the process of configuring it. Initially, we believed that having two LAWs would suffice for our business requirements, and we put significant effort into adjusting Azure Policies exclusions to make it work. However, we didn't succeed in that approach. After gaining a deeper understanding of LAW, we decided to using a single LAW and have most of our resources report to it. To achieve this, we cleaned up Azure policies and direct DCRs to point to this unified LAW. The issue we currently face is that the specific group of VMs continues to send performance data to the outdated LAW, and we can't identify where to make the necessary changes. We have triple checked all levels of management groups of Azure policies or the remaining active DCRs yet still no luck. All of these VMs have the AMA installed. Is there a need to update the AMA, which we may be unaware of? We are running out of ideas on where to adjust the settings so that we can consolidate all the logs into this single LAW. We would greatly appreciate any suggestions or recommendations from forum members! Thank you in advance for any help! Sally915Views0likes2CommentsAzure Diagnostic data cannot be processed by Azure Stream Analytics due to InputDeserializerError
Planning to steam Azure resource(frontdoor) diagnostic logs to stream to Azure Stream Analytics. However, having troubles on this one as data specifically from AzureDiagnostics failed to get deserialized as input for Stream Analytics job. Error: Error while deserializing input message Id: Partition: [0], Offset: [3663944], SequenceNumber: [285]. Hit following error: Column name: ErrorInfo is already being used. Please ensure that column names are unique (case insensitive) and do not differ only by whitespaces. It's caused by a duplicating column, errorInfo and ErrorInfo on AzureDiagnostic Table, which I am unsure what distinguishes them apart when observing its values. Have any thoughts or solution in mind on how we could simplify or transform these Diagnostic log to possibly remove this duplicating column prior to getting ingested to the Stream Analytics job? Have initially thought of the following solutions, but they aren't so straight-forward and probably costs more and would like to hear other's thoughts as well. 1. Transformation using DCR. I beleive this is ideal for sending Diagnostic Logs to Log Analytics workspace. but this would mean diagnostic logs have to pass through the workspace and then get exported to Stream Analytics which to achieve, may require to add in more components in between the data pipeline. 2. Logic App. Saw somewhere where a scheduled Logic App(probably run by schedule) is used to export data using a query (KQL) from Log analytics workspace then get sent to a storage. Has to modify the destination to an event hub instead perhaps. yet again, to many layers just to pass on the data to ASA. Any other solution you can suggest to refining the incoming data to ASA while minimizing the utilization of compute resources?640Views0likes0CommentsNeed Help on Azure Firewall Deny and Allow actions
Dear Members, i have Azure Firewall with two set of action type Allow and Deny as shown in the below screenshot. in this two action we have same rule defined in the both actions SMTP Network rule is defined in the both allow and deny action, now i need to check which action goes first Here How does that work? When does that deny rule get evaluated compared to the priority 112 rule? Does the rule block the traffic it is supposed to and does it still allow the other traffic? how can we check the logs if the rule is allowing traffic still. Please advise on this. thank you1.6KViews0likes1CommentIoT Hub Distributed Tracing
Hi I have been following this guide: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-distributed-tracing and have done everything and messages are being sent with tracestates but I am not receiving any logs in my container or log analytics workspace, I get logs for other things like connections but not distributed tracing logs. what could the issue be? Thanks651Views0likes0CommentsKusto Query for troubleshooting the Network Security Group
Hi Team, i need some help on Kusto Query for troubleshooting the Network Security Group connectivity between source IP and Destination IP, can someone please help in Kusto Query to check the NSG logs for source and destination to check connectivity is allowed between source and destination. I'm very new to Kusto Query so posted here, appreciate for help Source Ip : 10.226.16.165 destination : 159.123.12.3Solved1.4KViews0likes2CommentsAbility to select the Enterprise Application for Diagnostics Settings exporting to Azure Storage
Hi team, I want to relay customer's feedback regarding a current product design for Diagnostics Settings. Diagnostics Settings configured to export logs to Azure Storage will use behind the scenes a first party application called "Windows Azure Application Insights" to be able to write the logs against Storage. While the naming convention for this Enterprise Application can be misleading (as this feature is not related to Azure Monitor Application Insights entirely), it would also be useful to provide the ability for customer to choose the Enterprise Application that will be calling against Azure Storage to write the data. This will help customer recognizes that these calls are expected (as they would see an Enterprise Application they own) and wouldn't raise security concerns. Thank you.704Views1like0CommentsWindows Insider Problems
>settings>privacy>diagnostic data it (diagnostic data and improve inking and typing) is greyed out. cannot change to optional diagnostic data >settings>update>security>windowsinsiderprogram cannot do anything here because of the diagnostic data and improve inking and typing. I am a windows insider member and am trying to download the Windows 11 beta. Microsoft tech had me do a clean install and said that would fix the issues...it DID NOT.1.2KViews0likes2Comments