I would like to create an Azure Alert rule using the Azure Resource Graph tables, which are not available inside Azure Log Analytics. Using Azure CLI, a query can be sent to Azure Resource Graph ex:
az graph query "<QUERY>" --query count
Is it possible to create an Azure Alert based on the result of this query?
There is no direct way to create an alert using graph query. Here are the approaches I worked on to create it.
Approach-1:
You can create it with the help of terraform running in azCLI. Refer SO.
Approach-2:
Using scheduled query parameter for az monitorcommand, I created an alert within the given scope as per your requirement.
I've tried creating a sample alert and it worked for me.
az monitor scheduled-query create -g "xxxxresourcegroup" -n "xxxalert" --scopes "/subscriptions/<subscriptionID>/resourcegroups/xxxxresourcegroup/providers/Microsoft.Compute/virtualMachines/xxxxxVMName" --condition "count 'Placeholder_1' > 360 resource id _ResourceId at least 1 violations out of 5 aggregated" --condition-query Placeholder_1="union Event | where TimeGenerated > ago(3h) | where EventLevelName=='xxxxxError' or SeverityLevel=='xxxerror'" --description "xxxxxxxxx"
Output:
Approach-3:
By using az monitor metrics alert in azCli, you can build it without using a query.
I've taken a sample alert to check the condition of CPU (CPU %>50) and was able to perform it as shown here:
az monitor metrics alert create -n alert1 -g "xxxxxresourcegroup" --scopes "/subscriptions/< Subscription_ID >/resourcegroups/<resourcegroupName>/providers/Microsoft.Compute/virtualMachines/xxxVMName" --condition "avg Percentage CPU > 50" --description "CPU Percentage"
Output:
Approach-4:
Usually, we can create an alert rule by executing a log query from required resource and then create a new alert rule.
I tried with an example query to check for missing software updates on virtual machine logs.
Click on New alert rule and search query will be automatically updated and select how to summarize the results.
Add Alert logic. When the threshold value of 50 is reached for an assigned event, an alert is fired via sending an email.
After an alert is fired, you can select an action from action group if you have already defined, else create one before an alert is triggered.
Provide Alert rule name and required details.
New alert rule is created successfully.
Reference: MsDoc
Related
Quick context :
I want to delete my VM(s) in a specific resource group if its CPU usage is below 30 for 1 hour.
Detailed explanation : Please refer alert-action group flow diagram (https://i.stack.imgur.com/I4gBD.png%60 ) or Below Image Flow
Resource Group -> Linux VM(s) , connected with Log analytics workspace
Created Azure Function - Delete-VM , which written in Powershell will Delete VM
Created Action Group (delete-Action) to trigger a mail notification and above Azure Function(Delete-VM)
Created alert rule with signal as Log & condition as custom Log query and configured above action group to take action.
Custom Query :
Perf | where TimeGenerated > ago(60m) | where (ObjectName == "Processor") | summarize AggregatedValue = avg(CounterValue) by Computer | where AggregatedValue < 100 | project Computer, AggregatedValue
Issue :
When condition breached and alert get fired.
Only Mail action is Triggered
Azure Function (Delete DVSM) is not executing.
How to Trigger Azure function when Alert fired.
I have followed the blog which created by cloudsma.
Workaround follows
I have created the Alert Group with Email notification alert and it will trigger the Azure Function.
Adding Alert Rule:
Alert can be able to trigger in both Email and Azure Function
Alert Results
Context : app-service in Azure with enabled auto-scale 2 to 8 instances. Usually workload fluctuates between 2..4 instances, and only on rare occasions scaling maxes out to 8 instances - for such cases I want to set up an alert. Let's say, I am interested in all scaling operation above 4 instance count.
Problem : cannot find an alert "scope + condition signal" combination where instance count of auto-scale would be possible to select. Does such data is accessible at all?
And "no" - I do not want to use OOB "Scale out - Notify" functionality, because this feature sends out emails about all scaling operations. Since I am not interested 2..4 instances and only >4 instances, conditioning must be possible.
You can create the alert mechanism for the autoscale operation in web app by projecting the autoscale operation logs to log analytic workspace & followed by creating custom alert.
Here are the steps you need to follow:
Go to Scale-out (App service plan) option in the portal under that Navigate to Diagnostic settings.
Create Diagnostic settings for the autoscale operations & project those logs to log analytics workspace.
Based on the requirement shared above, use the below query to pull scale out operation of a web app with instance count is greater.
AutoscaleScaleActionsLog | where OperationName == 'InstanceScaleAction' and ResultType == "Succeeded"
| where NewInstanceCount >4 and ScaleDirection == 'Increase'
Use the New alert rule option in the log analytics space to create a custom alert & using the above query as signal as shown in below picture.
Here is the sample image of the alert rule that was created using the above query
The above alert query run for every thirty minutes , if there any autoscale operation got recorded it will trigger an email to mentioned recipients.
click on save , enable the alert rule
Here is the sample email output triggered by alert rule
I would like to set up an Azure alert for when someone on our team sets up an Azure database. Once alerted, I want to have an additional alert created if that resource is running for more than a certain amount of time.
My solution is to create an Alert Rule on the storage account and have it send an email. Where I'm running into trouble is how to monitor the database, since it just got created and I don't know the name yet for the second Alert rule that will monitor its uptime.
Is there some programmatic way to determine the database resource name?
If you don't want to invest time in Programmatic way there is a option to set or configure an alert at Resource Group level based on Resource type, where in the alert rule configure with below configurations
Scope -Select the right subscription, filter by resource type like SqlDatabase and if required filter based on location wise
Condition - In Select condition, Signal type drop down select "Create/Update Azure Sql Database" and in alert logic you can provide additional filtering logic's
Can choose existing Action group or create new one based on your requirement
Add "Alert rule details" like rule name, description etc.
Finally create alert rule
Now once alert rule is created if any new Azure SqlDatabase is created you will be notified based on alert configured.
According to the official doc, you can use Event Grid to notify Azure Automation when a SQL database is created.
https://learn.microsoft.com/en-au/azure/event-grid/overview#ops-automation
Once you subscribe, you can use Logic Apps to send you an email for example.
About the second part, you'll need to query the metrics and figure out if it's running (is performing compute) or not.
I am trying to alert/visualize Resource changes like creation/deletion of Azure resources using Log Analytics/OMS.
I am able to find new deployments using:
AzureActivity
| where ActivityStatus == 'Succeeded' and OperationNameValue contains 'Microsoft.Resources/deployments/write'
and VM start/stop also is traceable.
However, i do not see any logs when a VM is deleted from a resource group. I checked in the resource group Activity logs too, however such an important event doesnt seem to be tracked properly. Only thing I find is the deletion of shutdown schedules as part of VM deletion, however this isnt a reliable indicator.
How can I track resource deletions using Log Analytics?
You can set up an alert when the vm is deleted in log analytics.
Nav to azure portal, your log analytics -> in the left blade, select Alerts -> New alert rule-> in the new page, select your vm as resource -> then in the condition, add an condition: Delete Virtual Machine.
I want to send a single alert on a successful deployment in Azure. Alerting on individual events is a problem because that could get too noisy.
Grouping events by their correlation id and sending that in a single e-mail would be great. Sort of like what you might find in the deployment overview page in the Azure portal:
Your deployment is complete
Deployment name: mesh_rp.linux
Subscription: AcmeDevTest
Resource group: rg-mesh-demo
Start time: 11/29/2018 9:00:00 AM
Duration: 2 minutes 56 seconds
Correlation ID: 11111111-1111-1111-1111-111111111111
Resource TYPE STATUS
HelloWorldApp Microsoft.ServiceFabricMesh/applications OK
HellowWorldNetwork Microsoft.ServiceFabricMesh/networks OK
How would I go about grouping those events by their correlation id and then firing that off in an e-mail?
Is this possible with Azure Monitor or is something like logic apps and event grid the way to go here?
Azure Monitor would be best for you.
From Azure portal, select Monitor > Alerts
Click New Alert Rule at the top of the Alerts window.
Configure Alert target and Target criteria
Configure Action group to send an email.
For a successful deployment, you should choose "create new deployment" as the target criteria.
For more details, please refer to the following:
https://learn.microsoft.com/en-us/azure/monitoring-and-diagnostics/alert-activity-log