NSG Flow Logs don't appear in Azure Monitor - azure

I cannot find corresponding NSG flow logs for the action that I manually triggered. NSG Flow Logs are enabled and configured in the Azure portal under Network Watcher -> NSG Flow Logs. Only default rules are used for outbound NSG.
Here is what I am trying to do and I am expecting flow logs to show up after few (4) minutes but they don't.
1) Call API at the Application Gateway #https://api.aspnet4you.com/api/customer/FindAllCustomers?country=United%20States&state=Washington&city=Seattle
2) Query to find app gateway access logs and they show up in about 3 minutes:
AzureDiagnostics
| where TimeGenerated >= now(-15m)
| where clientIP_s !=""
| where Category == "ApplicationGatewayAccessLog"
3) Query NSG Flow logs but NO Result Found!
AzureNetworkAnalytics_CL
| where TimeGenerated >= now(-15m)
| where SubType_s == "FlowLog"
| extend dir = FlowDirection_s
| extend status = FlowStatus_s
| extend src = SrcIP_s
| extend dest = DestIP_s
| extend pubip=PublicIPs_s
| extend cty = Country_s
| project TimeGenerated, FlowType_s,status, dir , DestPort_d, cty, pubip , src ,dest, L7Protocol_s, NSGRules_s
4) Checked the configured storage account blobs and I can see flow logs there and those logs are generated in last 15 minutes.
Why do the NSG flow logs not show up while app gateway access logs are showing just fine when I query logs in Azure Monitor (portal)?
Reference Architecture:
https://blogs.aspnet4you.com/wp-content/uploads/2019/01/app-reference-architectures-v2.png

Related

Trigger Azure function via Log alert

Quick context :
I want to delete my VM(s) in a specific resource group if its CPU usage is below 30 for 1 hour.
Detailed explanation : Please refer alert-action group flow diagram (https://i.stack.imgur.com/I4gBD.png%60 ) or Below Image Flow
Resource Group -> Linux VM(s) , connected with Log analytics workspace
Created Azure Function - Delete-VM , which written in Powershell will Delete VM
Created Action Group (delete-Action) to trigger a mail notification and above Azure Function(Delete-VM)
Created alert rule with signal as Log & condition as custom Log query and configured above action group to take action.
Custom Query :
Perf | where TimeGenerated > ago(60m) | where (ObjectName == "Processor") | summarize AggregatedValue = avg(CounterValue) by Computer | where AggregatedValue < 100 | project Computer, AggregatedValue
Issue :
When condition breached and alert get fired.
Only Mail action is Triggered
Azure Function (Delete DVSM) is not executing.
How to Trigger Azure function when Alert fired.
I have followed the blog which created by cloudsma.
Workaround follows
I have created the Alert Group with Email notification alert and it will trigger the Azure Function.
Adding Alert Rule:
Alert can be able to trigger in both Email and Azure Function
Alert Results

How do I merge two Kubernetes services in log analytics and see their logs together?

KubePodInventory
| where (ServiceName == tolower("1service") or ServiceName == "authorizer-service") and Namespace == tolower("prod")
| join
(
ContainerLog
)
on ContainerID
| project TimeGenerated, TimeGenerated1, LogEntry, ServiceName
| order by TimeGenerated desc
I have two services running in kubernetes. One is a regular service, and the other service is an authorizer service. For debugging, I would like to have the logs show up in order of time so that I know at what point and in which service the error is showing up.
I want the columns to show as
time the log is generated, service name, and the log.
I don't want them grouped as that will change the order of the logs when it was generated.
Thank you

Azure AKS container logs location in storage account

I want to be able to find specific logs from AKS container, that have diagnostic configured for storage account. I'm able to generate this kind of query from log analytics:
ContainerLog
| join kind = inner KubePodInventory on $left.ContainerID == $right.CointainerID
| where Namespace == "default" and LogEntry contains "error"
| project TimeGenerated, LogEntry, ContainerName
showing me container logs, yet I'm not able to find same output in actual log files, saved in storage account. Shouldn't both reciever services have same logs available? Here's the list of log types that aks cluster generates.
Here's the output from log analytics query:

How to monitor a Windows Service on an Azure VM?

I have a windows service running on a Azure VM availability set.
What is the best way to instrument monitoring for this service utilizing any of the Azure monitoring solutions?
If you just want to monitor if it's running or not, you can use Log Analytics. More details please refer to this article.
I have tested it at my side, it works well.
1.Create a workspace and Enable the Log Analytics VM Extension as per this doc.
2.Once step 1 is completed, nav to your workspace -> in the left panel, select Advanced settings -> Data -> Windows Event Logs, then in the textbox, type "system", then select system in the dropdown -> click the add button.
3.click Save button.
4.In the left panel, click Logs. Then in the query editor, type the following command(please note that the == is case sensitive):
Event
| where TimeGenerated >ago(1d)
| where EventLog == "System" and EventID ==7036 and Source == "Service Control Manager"
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>'*
//you can add a filter by service name here like | where Windows_Service_Name =="Windows Update"
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
5.The test result:

Azure Load Balancer Log Analytics

I have an Azure Load Balancer,
I have gone into the Load Balancer resource, Diagnostics logs and ticked 'Send to Log Analytics' and set to my Azure Log Analytics OMS Workspace.
But when I go into the Log Analytics and run:
AzureDiagnostics
| where Category == "LoadBalancerProbeHealthStatus" and TimeGenerated > ago(3d)
| project ResourceGroup, Resource, TimeGenerated, port_d, totalDipCount_d, dipDownCount_d, healthPercentage_d
I don't get any results, can anyone help my understand how to make this work?
Check to see if the Azure Diagnostics table in Log Analytics has reached the max 500 columns.
Can Run the following query to confirm:
AzureDiagnostics
| getschema
| summarize AggregatedValue = count(ColumnName)

Resources