How to collect custom logs using Azure Monitor Agent?

Prabhjot Singh 220 Reputation points
2023-08-10T10:02:55.9833333+00:00

In a specific scenario, I've established a requirement to observe the ccm.log content within an Azure Log Analytics Workspace. To achieve this, I've taken the initiative of creating a dedicated custom table within the workspace, aligning its columns with the pertinent attributes present in the ccm.log, namely DateTime, Source, Component, and Thread. In parallel, I've meticulously configured distinct data collection rules tailored to capture the custom logs, precisely specifying the desired time frame for data collection. After this preparation, I observed the custom table making its appearance within the Log Analytics Workspace after a short period of time.

However, upon attempting to query for the ccm.log content using the defined parameters, I've encountered an issue where the logs fail to surface in the query results. My objective ultimately centers around the effective collection and analysis of these custom logs via the utilization of the Azure Monitor Agent. In light of these circumstances, I'm seeking guidance on potential factors that might contribute to the absence of logs in the query results despite the successful establishment of the custom table and data collection rules.User's image

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,366 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ryan Hill 29,291 Reputation points Microsoft Employee
    2023-08-15T15:16:06.2133333+00:00

    Hi @Prabhjot Singh

    I'm assuming you followed Collect text logs with Azure Monitor Agent documentation to configure your DCR with Azure Monitor Agent. Here some things you can check in addition to the agent troubleshooter.

    • Check to see if the agent is collecting the logs. Navigate to the AMA's configuration file and checking your file is under the DataCollection section.
    • Check ingestion by broaden your query, i.e. SCCML_CL | take 10, to see if any logs were ingested to begin with.

    I also suggest using the AMA Troubleshooter to help shed some light on why your ccm.log isn't possibly being ingested by the agent. It could point to a configuration issue with your DCR.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.