Send resource logs to Log Analytics workspace

Send resource logs to Log Analytics workspace

We have seen how to send the activity logs generated for a subscription to log analytics workspace. It makes it easy to analyze all the logs at one place.

Let’s see how to collect the resource logs and analyze them using Log Analytics workspace.

Activity Log vs Resource Logs

Activity logs are generated only when somebody is performing some activity on Azure resources, e.g. creating / modifying / deleting the resource itself.

Resource logs are platform logs that provide insight into operations that were performed within an Azure resource. For example, retrieving a key from key vault, or accessing data from database, etc.

That’s why contents of resource logs may vary depending on the resource. Resource logs are not collected by default. The collection needs to be enabled using diagnostic setting.

In this article, we will create a demo in which resource logs would be sent to log analytics workspace. We will use key vault as an example, but the steps to enable resource logs on any other resource types are almost the same.

Create Log Analytics Workspace

Login to Azure Portal and search for log analytics workspaces in the search box provided in top navigation bar. A new panel as shown below will open. Then click on Add button to add a new workspace.

Azure Portal: Log Analytics workspaces
Azure Portal: Log Analytics workspaces

On the Add new workspace panel, provide below inputs:

  • Subscription, a valid Azure subscription
  • Resource Group, a logical container for the new resource
  • Name, a valid name for the new resource
  • Region, an Azure region, physical location for the new resource

Then click on Review + Create button. After validation is successful, clikc on Create button to create the resource.

Azure Portal: Create Log Analytics Workspace
Azure Portal: Create Log Analytics Workspace

This will select a default pricing tier of Pay-as-you-go which will not incur any changes until you start collecting a sufficient amount of data. There is no charge for collecting the Activity log.

Key Vault: Diagnostic Setting

Login to Azure Portal and open the key vault on which you want to enable resource logs and select Monitoring -> Diagnostic Setting option from left navigation. Then click on Add diagnostic setting option.

NOTE: Although we are using key vault as an example, any type of Azure resource can be used here.  The steps to enable diagnostic settings are almost the same
Azure Portal: Enable resource logs for Azure resource
Azure Portal: Enable resource logs for Azure resource

Then, provide below information on the new diagnostic setting panel:

  • Name, a valid name for this setting
  • Category details, select both check boxes under logs and metrics
  • Destination Details, select send to log analytics option. In the same section provide a valid subscription name and log analytics workspace which was created for this purpose.

Then hit the Save button.

Azure Portal: diagnostic setting for enabling resource log
Azure Portal: diagnostic setting for enabling resource log

Viewing the resource logs

For verification, I ran the an app service which uses the key vault. The app service accessed secrets from key vault and this generated resource logs on the key vault.

For viewing those logs, navigate to the same key vault in Azure Portal on which the diagnostic setting is created in previous step. Select Logs under Monitoring section.

Then in the query editor run the query AzureDiagnostics to see the audit events. The service shown in the example writes resource logs to the AzureDiagnostics table, but other services may write to other tables.

For more information, See Supported services, schemas, and categories for Azure Resource Logs for tables used by different Azure services.

Azure Portal: Querying resource logs
Azure Portal: Querying resource logs

For your information about log queries, see Get started with log queries in Azure Monitor for a tutorial on writing log queries.

I hope you enjoyed this article. Let me know your thoughts.

Leave a Reply