So, I can see create_or_update logs of my VM on activity logs. There is no filter just to get the create logs as much as I am aware.
So is there any way where I can just see the create logs of a VM using API or commands?
You can follow below steps to achieve your requirement
You need to enable diagnostic settings to activity logs.
refer https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log#send-to-log-analytics-workspace for enabling the diagnostic settings.
Once the Log analytics workspace is established, you can query the logs as
AzureActivity
| where OperationName == 'Create or Update Virtual Machine' and ActivitySubstatusValue == 'Created'
| order by TimeGenerated desc
above output will show only the Create operations. You can further filter it based on your requirement.
Related
I am trying to write a query in Azure Monitor > Logs which displays the status of all virtual machines. I am currently able to display all VMs (in a selected scope) with their heartbeats but can't mention their status (with a green/red code) in the table.
My end goal is to display it on Azure Dashboard so that everyone in the team could look at the status of VMs.
I am pretty new to Azure and still trying to understand how it works. Any guidance will be appreciated.
My current simple heartbeat query is
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
This display the following columns,
Computer
TimeGenerated
SourceComputerId
ComputerIP
Category
OSType
along with other details.
I tried to reproduce the same in my environment to create an Azure Dashboard for checking Status of Azure VM:
Go to Azure Portal > Virtual Machines > Click on pin- blade option > Create new.
Create a new dashboard, like below.
Note: If you select a shared option, whoever have RBAC access,they can be able to view the dashboard.
To change the dashboard view to Donut Chart.
Please follow the below steps.
Click on setting option> View >Summery.
Successfully created a dashboard with status.
Assign the RBAC role to user to view the dashboard.
Ex : Monitoring Reader
I am trying to bring in Azure Synapse logs into Loganalytics to create dashboards on usage level.
I have already setup in diagnostic settings to pass on the logs to my loganalytics workspace.
But while trying to execute queries from below documentation, I am getting error saying -
Query -
//Chart the most active resource classes
AzureDiagnostics | where Category contains "ExecRequests" | where
Status_s == "Completed" | summarize totalQueries = dcount(RequestId_s)
by ResourceClass_s | render barchart
Error:
'where' operator: Failed to resolve column or scalar expression named 'Status_s'...
Documentation link for queries : https://learn.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-monitor-workload-portal
Please let me know if there is something I am missing. I am directly logging to loganalytics workspace and running these queries inside a workbook...
Also i didnt find any proper documentation/blogs/links for connecting synapse to loganalytics, please let me know if anyone has that..
The documentation linked in your post appears to be out of date even though the last update date is recent.
See this link:
Azure services that use resource-specific mode store data in a table
specific to that service and do not use the AzureDiagnostics
table.
The link also lists a number of resource-specific tables for Synapse. "SynapseSqlPoolExecRequests" and "SynapseSqlPoolSqlRequests" are a few examples that might provide the info you're seeking.
I have a log analytics workspace and 2 VMs connected to it. The VMs do not have Guest-OS enabled.
When I navigate to the Log Analytics --> Log blade and run the Azure provided query for "% Free Space" nothing shows up at all.
Do I need to enable Guest-OS for the VMs ? I thought this metric was out-of-the-box by Azure. What am I missing here ?
More observations:
VM1 and VM2 are connected to the log workspace. I enabled guest-os for VM2 ONLY thinking that this is needed. When I ran this Free Space query with log analytics workspace as the scope, I could see the data for VM1 also which was strange.
So I concluded that Guest-OS is not needed for this metric.
So I removed Guest-OS and removed WADPerformaceCounterTable from the storage too.
And now I dont see ANY data for the query
According to my test, if we want to monitor the servers available disk space using Azure Log Analytics, we need to have the Azure monitor agent installed on the VM’s you want to monitor and enable Performance counters in Azure log analysis.. For further details about it, please refer to the blog.
For example(I use windows VM for test)
Enable the Log Analytics VM Extension. For more details, please refer to here and here
Configuring Performance counters
Query
erf
| where ObjectName == "LogicalDisk" or // the object name used in Windows records
ObjectName == "Logical Disk" // the object name used in Linux records
| where CounterName == "Free Megabytes"
| summarize arg_max(TimeGenerated, *) by InstanceName // arg_max over TimeGenerated returns the latest record
| project TimeGenerated, InstanceName, CounterValue, Computer, _ResourceId
I use an Azure VM for personal purposes and use it mostly like I would use a laptop for checking email etc. However, I have several times forgot to stop the VM when I am done using it and thus have had it run idle for days, if not weeks, resulting in unnecessarily high billing.
I want to set up an email (and if possible also SMS and push notification) alert.
I have looked at the alert function in the advisor, but it does not seem to have enough customization to handle such a specific alert (which would also reduce Microsoft's income!).
Do you know any relatively simple way to set up such an alert?
You can take use of Log Analytics workspaces and Custom log search.
The below are the steps to create an alert, which will send the alert if the azure vm is running exactly 1 hour.
First:
you need to create a Log Analytics workspaces and connect to azure vm as per this link.
Sencod:
1.In azure portal, nav to Azure Monitor -> Alerts -> New alert rule.
2.In the "Create rule" page, for Resource, select the Log Analytics workspaces you created ealier. Screenshot as below:
Then for Condition, please select Custom log search. Screenshot as below:
Then in the Configure signal logic page, in Search query, input the following query:
Heartbeat
| where Computer == "yangtestvm" //this is your azure vm name
| order by TimeGenerated desc
For Alert logic: set Based on as Number of results, set Operator as Equal to, set Threshold value as 60.
For Evaluated based on: set Period as 60, set Frequency as 5.
The screenshot as below:
Note:
for the above settings, I query the Heartbeat table. For azure vm which is running, it always sends data to log analytics to the Heartbeat table per minute. So if I want to check if the azure vm is running exactly 1 hour(means it sends 60 data to Heartbeat table), just use the above query, and set the Threshold value to 60.
Another thing is the Period, it also needs to be set as 1 hour(60 minutes) since I just check if the azure vm is running for 1 hour; for Frequecy, you can set it any value you like.
If you understand what I explains, you can change these values as per your need.
At last, set the other settings for this alert.
Please let me know if you still have more issues about this.
Another option is to use the Azure Activity log to determine if a VM has been running for more than a specified amount of time. The benefit to this approach is that you don't need to enable Diagnostic Logging (Log Analytics), it also supports appliances that can't have an agent installed (i.e. NVAs).
The logic behind this query is to determine if the VM is in a running state, and if so has it been running for more than a specified period of time (MaxUpTime).
This is achieved by getting the most recent event of type 'Start' or 'Deallocate', then checking if this event is of type 'Start' and was generated more than 'MaxUpTime' ago
let DaysOfLogsToCheck = ago(7days);
let MaxUptime = ago(2h); // If the VM has been up for this long we want to know about it
AzureActivity
| where TimeGenerated > DaysOfLogsToCheck
// ActivityStatus == "Succeeded" makes more sense, but in practice it can be out of order, so "Started" is better in the real world
| where OperationName in ("Deallocate Virtual Machine", "Start Virtual Machine") and ActivityStatus == "Started"
// We need to keep only the most recent entry of type 'Deallocate Virtual Machine' or 'Start Virtual Machine'
| top 1 by TimeGenerated desc
// Check if the most recent entry was "Start Virtual Machine" and is older than MaxUpTime
| where OperationName == "Start Virtual Machine" and TimeGenerated <= MaxUptime
| project TimeGenerated, Resource, OperationName, ActivityStatus, ResourceId
I'm looking for custom policy to connect and get activity/audit logs from Azure to Log Analytics workspace. There are not build in policy to this so it would need to be done with custom policy. Has anybody created or seen this kinda policy because I have not been able to find? Policy should be AuditIfNotExists and should take Log Analytics workspace as a parameter. I'm not policy specialist so finding policy, would help a lot.
There is no policy to set this up but it is possible to set it up. I got this information from this tutorial:
"The Azure policy compliance status is logged in the Azure subscription’s Activity logs. The Azure Log Analytics workspace can be configured to collect Azure Activity logs from any subscriptions in the same tenant. Azure Monitor alert rules can then be created to execute queries in the Log Analytics workspace on a schedule and generate alerts when non-compliant resources are detected by the query. "
Connect log Analytics workspace to desired subscription
Add Kusto queries in the workspace to get information needed:
Here is an example of a kusto query for Get a list of non-compliant resources from a single policy (using “audit-resources-without-tags-policyDef” definition as an example):
let policyDefId = 'audit-resources-without-tags-policyDef'; AzureActivity | where Category == 'Policy' and Level != 'Informational' | extend p=todynamic(Properties) | extend policies=todynamic(tostring(p.policies)) | mvexpand policy = policies | where policy.policyDefinitionName in (policyDefId) | distinct ResourceId
You can set up alerts using Azure Monitor with a custom log search