Develop Reference

Azure AKS container logs location in storage account

I want to be able to find specific logs from AKS container, that have diagnostic configured for storage account. I'm able to generate this kind of query from log analytics:
ContainerLog
| join kind = inner KubePodInventory on $left.ContainerID == $right.CointainerID
| where Namespace == "default" and LogEntry contains "error"
| project TimeGenerated, LogEntry, ContainerName
showing me container logs, yet I'm not able to find same output in actual log files, saved in storage account. Shouldn't both reciever services have same logs available? Here's the list of log types that aks cluster generates.
Here's the output from log analytics query:

How to get only create logs of Virtual Machine in Azure?

So, I can see create_or_update logs of my VM on activity logs. There is no filter just to get the create logs as much as I am aware.
So is there any way where I can just see the create logs of a VM using API or commands?

You can follow below steps to achieve your requirement
You need to enable diagnostic settings to activity logs.
refer https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log#send-to-log-analytics-workspace for enabling the diagnostic settings.
Once the Log analytics workspace is established, you can query the logs as
AzureActivity
| where OperationName == 'Create or Update Virtual Machine' and ActivitySubstatusValue == 'Created'
| order by TimeGenerated desc
above output will show only the Create operations. You can further filter it based on your requirement.

Determine If VM is on Azure cloud or on premise from log analytics?

I need some help to understand if we can anyway pull a value through Azure log analytics if a VM is in on premise or on Azure Cloud ?
Right now i am querying IP ranges from the Heartbeat table in the log analytics and determining if it is on prem or Azure. But this approach does not work for me always as there are new IP ranges and if the VM's are on Express route Vnet. Is there a direct table data which can be pulled from Log Analytics.

I got the answer it was right there in the Heartbeat table in Log Analytics. Below is the Kusto query.
Heartbeat
| distinct Computer , ResourceProvider
| extend VMType = iff(ResourceProvider == 'Microsoft.Compute','AzureVM' , 'OnPremise' )
| project Computer , VMType

All Azure VMs will also emit resource Ids and it will be present in "Heartbeat" table and "_ResourceId" column. Below query should group Azure and Non-Azure VMs.
Heartbeat
| distinct Computer, _ResourceId
| extend Environment = iff(_ResourceId != "", "Azure", "Non-Azure")

Policy to connect subscription's activity logs to log analytics

I'm looking for custom policy to connect and get activity/audit logs from Azure to Log Analytics workspace. There are not build in policy to this so it would need to be done with custom policy. Has anybody created or seen this kinda policy because I have not been able to find? Policy should be AuditIfNotExists and should take Log Analytics workspace as a parameter. I'm not policy specialist so finding policy, would help a lot.

There is no policy to set this up but it is possible to set it up. I got this information from this tutorial:
"The Azure policy compliance status is logged in the Azure subscription’s Activity logs. The Azure Log Analytics workspace can be configured to collect Azure Activity logs from any subscriptions in the same tenant. Azure Monitor alert rules can then be created to execute queries in the Log Analytics workspace on a schedule and generate alerts when non-compliant resources are detected by the query. "
Connect log Analytics workspace to desired subscription
Add Kusto queries in the workspace to get information needed:
Here is an example of a kusto query for Get a list of non-compliant resources from a single policy (using “audit-resources-without-tags-policyDef” definition as an example):
let policyDefId = 'audit-resources-without-tags-policyDef'; AzureActivity | where Category == 'Policy' and Level != 'Informational' | extend p=todynamic(Properties) | extend policies=todynamic(tostring(p.policies)) | mvexpand policy = policies | where policy.policyDefinitionName in (policyDefId) | distinct ResourceId
You can set up alerts using Azure Monitor with a custom log search

NSG Flow Logs don't appear in Azure Monitor

I cannot find corresponding NSG flow logs for the action that I manually triggered. NSG Flow Logs are enabled and configured in the Azure portal under Network Watcher -> NSG Flow Logs. Only default rules are used for outbound NSG.
Here is what I am trying to do and I am expecting flow logs to show up after few (4) minutes but they don't.
1) Call API at the Application Gateway #https://api.aspnet4you.com/api/customer/FindAllCustomers?country=United%20States&state=Washington&city=Seattle
2) Query to find app gateway access logs and they show up in about 3 minutes:
AzureDiagnostics
| where TimeGenerated >= now(-15m)
| where clientIP_s !=""
| where Category == "ApplicationGatewayAccessLog"
3) Query NSG Flow logs but NO Result Found!
AzureNetworkAnalytics_CL
| where TimeGenerated >= now(-15m)
| where SubType_s == "FlowLog"
| extend dir = FlowDirection_s
| extend status = FlowStatus_s
| extend src = SrcIP_s
| extend dest = DestIP_s
| extend pubip=PublicIPs_s
| extend cty = Country_s
| project TimeGenerated, FlowType_s,status, dir , DestPort_d, cty, pubip , src ,dest, L7Protocol_s, NSGRules_s
4) Checked the configured storage account blobs and I can see flow logs there and those logs are generated in last 15 minutes.
Why do the NSG flow logs not show up while app gateway access logs are showing just fine when I query logs in Azure Monitor (portal)?
Reference Architecture:
https://blogs.aspnet4you.com/wp-content/uploads/2019/01/app-reference-architectures-v2.png