Here alert setup based on status of a runbook job is mentioned. Can alerts also be made based on the errors present in the errors tab(as given below). So status might say 'completed' but there will be errors in the 'Errors' tab, I am talking about such a situation.
I have tried to reproduce this use case and I believe that alerts can be made based on the errors present in the errors tab i.e., by forwarding job data to Log Analytics and by using below kusto query in your log alert rule.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and RunbookName_s == "<YourRunbookName>"
| where ResultDescription startswith "Write-Error"
Illustration:
Create a runbook with the content Write-Error -Message "This is an error message". For example, check below screenshot.
enter image description here
Publish the runbook and execute it. Then as shown in below screenshot, you will be able to see the errors present in the Errors tab.
enter image description here
Go to Logs tile of your Log Analytics workspace to which you have forwarded the Azure Automation job data and then run below kusto query to verify if the logs are forwarded or not. For reference, check below screenshot as well.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and RunbookName_s == "test6_error"
| project TimeGenerated, Category, ResultType, ResultDescription, StreamType_s
enter image description here
As you can see JobStreams category recorded the error thats present in Errors tab in the Azure Automation job so our kusto query can be something like shown below.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and RunbookName_s == "test6_error"
| where ResultDescription startswith "Write-Error"
| project TimeGenerated, Category, ResultType, ResultDescription, StreamType_s
enter image description here
Related
Hi I am trying to get through powershell the Join Date for all our Azure AD only devices and if possible the account that joined the device?
Get-AzureADDevice and $_.DeviceTrustType do not hold this information.
Dsregcmd only holds registered date - I am hoping to get the actual AD Azure join date and account. Thanks
I tried to reproduce the same in my environment and got the below results:
I have one Azure AD joined device in my directory like below:
To know the device details like join date and account that performed this, you can check Audit Logs like below in Portal:
Mostly joined date and registered date will be same with seconds' gap.
To get the same details via PowerShell, you can execute below command like this:
Get-AzureADAuditDirectoryLogs | where-object Category -eq "Device" | select activityDisplayName,activityDateTime,InitiatedBy | ft
Response:
To get full details of specific activity like Register device, you can filter the command like below:
Get-AzureADAuditDirectoryLogs -Filter "activityDisplayName eq 'Register device' " | where-object Category -eq "Device" | fl
Response:
To get full details of specific activity like Add device, you can filter the command like below:
Get-AzureADAuditDirectoryLogs -Filter "activityDisplayName eq 'Add device' " | where-object Category -eq "Device" | fl
Response:
I am trying to fetch invocation id of an Azure Function using the app insights query:
requests
| project
id,
operation_Name,
operation_Id,
cloud_RoleName,
invocationId=customDimensions['InvocationId']
| where cloud_RoleName =~ 'appname' and operation_Name =~ 'Gen'
And The result table shows no value for invocation id:
Am I missing something? Please let me know in the comment If I can add more information. Thanks.
I tried to reproduce your issue as I have got the invocation Id in the logs by following the below steps:
Created the Function App (.Net Core 6 Stack) in Azure with the HTTP Trigger Function Class inside the Azure Portal.
Open the Function App> Click on Logs in Monitoring Menu (left index pane) > Close this dialog box
Copied your query to get the results, where in the query:
cloud_RoleName is given as FunctionAppName,
operation_Name is given as FunctionName.
I want to track users who clicked verify email B2C button, but do not enter code that they should receive via email. Is there any control of that button in B2C or maybe some kind of "not verified email" storage? I`m using custom templates.
You can use Azure Monitor to determine who at least initaited a email verification but did not complete it. Enable Log Analytics through Azure Monitor https://learn.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
Then use this query in log analytics:
AuditLogs
| where OperationName == "Verify email address" or OperationName == "Send verification email"
| summarize count() by OperationName, CorrelationId, bin(TimeGenerated, 1h)
| summarize count() by CorrelationId, TimeGenerated
| extend state = iff(count_ == 1, "Abandoned", "Completed")
| summarize dcount(CorrelationId) by TimeGenerated, state
| render timechart
I'm running a query in Azure Log Analytics to list which identities have read a secret from keyvault:
AzureDiagnostics
| where ResourceType == "VAULTS"
| order by TimeGenerated desc
| where OperationName == "SecretGet"
| project identity_claim_appid_g,
identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,
identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s,
identity_claim_xms_mirid_s
The identity_claim_appid_g column contains the id of a registered application but is it possible to show the display name in the query results as well?
Not what you asked for, but for personal users you can use
identity_claim_unique_name_s
We are debugging our systems to see failed azure posts and want to learn why they failed in the first place.
The AzureMetric and Azure diagnostics are not helping when we are running the query over OMS.
Where do we see which values made us fail ?
Our OMS Query
search *
| where Resource == "xxx-API-NONPRODUCTION"
| where Type == "AzureDiagnostics"
Sample Error from OMS
$table
AzureDiagnostics
TenantId
yyy-0a7b-4833-8fb6-yyy
SourceSystem
Azure
TimeGenerated [UTC]
2017-12-20T15:05:00.845Z
Type
AzureDiagnostics
Environment_s
PROD
lastError_source_s
configuration
lastError_reason_s
OperationNotFound
lastError_message_s
Unable to match incoming request to an operation.
lastError_section_s
backend
OperationName
Microsoft.ApiManagement/GatewayLogs
Category
GatewayLogs
CallerIPAddress
51.yyy.34.yyy
location_s
UK West
method_s
GET
url_s
https://xxx-api-nonproduction.azure-api.net/qa/user/api/zzz/UserAccountExistsByEmailAddressAndIsEnabled/2bdel.qags2012#yopmail.com
cache_s
none
apiId_s
tttt
productId_s
tttt
userId_s
1
apimSubscriptionId_s
vvvv
ResourceId
/SUBSCRIPTIONS/vvvv-2F08-4DED-92B8-vvvv/RESOURCEGROUPS/xxx-CORE-NONPRODUCTION/PROVIDERS/MICROSOFT.APIMANAGEMENT/SERVICE/xxx-API-NONPRODUCTION
SubscriptionId
vvv-vvvv-vvv-vvv-vvv
ResourceGroup
xxx-CORE-NONPRODUCTION
ResourceProvider
MICROSOFT.APIMANAGEMENT
Resource
uuuu-API-NONPRODUCTION
ResourceType
SERVICE
CorrelationId
vvv-vvv-vvv-vvv-vvvvv
isRequestSuccess_b
false
Level_d
4
EventId_d
222
DurationMs
0
responseCode_d
404
responseSize_d
130
By default API management service does not log request body or headers, that can be done but with some extra work. You'll have to use log-to-eventhub policy to send body into eventhub and read it there later to log. Or you could save request body into a variable and return it as a response bidy from on-error section when request fails.
But from your log I can see that you get OperationNotFound: Unable to match incoming request to an operation. That means that URL was called on APIM service that didn't match any operation defined in API. The URL in question is https://xxx-api-nonproduction.azure-api.net/qa/user/api/zzz/UserAccountExistsByEmailAddressAndIsEnabled/2bdel.qags2012#yopmail.com
If we assume that "qa/user" is API suffix, then "/zzz/UserAccountExistsByEmailAddressAndIsEnabled/2bdel.qags2012#yopmail.com" should match URL template of one of operations in such API, and such operation must have method set as GET since that's what is being called.