Azure database for MySQL azuremetrics connections_failed tracking

sandeep pigilam 116 Reputation points
2021-06-08T14:56:48.343+00:00

Hi,
In Azure database for MySQL audit logs, i can find failed connections count using this KQL Query1 and Query2 mentioned below.

But my question here is ..

how to know what are these failed connections, meaning which query is failing or which query is giving me error which is linked to this failed connection ? Can you please provide some KQL queries to track down these connection failures.

Query1:
AzureMetrics
| project TimeGenerated, MetricName, Total, UnitName
| where MetricName =='connections_failed'

Query2:
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMYSQL"
and Category == 'MySqlAuditLogs' and event_class_s == "connection_log" and (event_subclass_s == 'CONNECT' or event_subclass_s == 'DISCONNECT')

Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
864 questions
{count} votes

Accepted answer
  1. sandeep pigilam 116 Reputation points
    2021-06-21T15:22:04.953+00:00

    hi @AnuragSharma-MSFT , The above query is not correct. Please find the correct query and correct me if any. If there is any failed connection like wrong password , it tries to connect to the db with CONNECT and there wont be any DISCONNECT for that connection so i made this query and worked for me.

    let startdt=datetime(6/21/2021, 0:00:00.000 PM);
    let enddt=datetime(6/22/2021, 0:00:00.000 PM);
    let x=
    (AzureDiagnostics
    | where ResourceProvider =="MICROSOFT.DBFORMYSQL"
    and Category == 'MySqlAuditLogs' and event_class_s == "connection_log" and ( event_subclass_s == 'CONNECT')
    and TimeGenerated > startdt and TimeGenerated < enddt
    | project TimeGenerated, event_class_s, event_subclass_s, user_s , ip_s , connection_id_d, db_s
    );
    let y=
    (AzureDiagnostics
    | where ResourceProvider =="MICROSOFT.DBFORMYSQL"
    and Category == 'MySqlAuditLogs' and event_class_s == "connection_log" and ( event_subclass_s == 'DISCONNECT')
    and TimeGenerated > startdt and TimeGenerated < enddt
    | project TimeGenerated, event_class_s, event_subclass_s, user_s , ip_s , connection_id_d, db_s
    );
    x | join kind=leftanti y on connection_id_d | order by connection_id_d


2 additional answers

Sort by: Most helpful
  1. Anurag Sharma 17,606 Reputation points
    2021-06-17T08:17:29.903+00:00

    Hi @sandeep pigilam , thanks for your patience.

    We can run below query to understand which queries failed and what is the SQL text of them. This also provides the user id and ip address from where it is fired.

    AzureDiagnostics  
    | where LogicalServerName_s == 'anuragmysqlserver'  
    | where Category == 'MySqlAuditLogs'   
    | where event_subclass_s  == 'ERROR'  
    | order by TimeGenerated desc   
    

    Please let us know if this helps.

    ----------

    If answer helps, you can mark it 'Accept Answer'


  2. Joseph VS 0 Reputation points
    2023-11-29T12:19:11.57+00:00

    hi @AnuragSharma-MSFT , Please find the correct query. If there is any failed connection like the wrong password and Username, it tries to connect to the db with CONNECT and there won't be any DISCONNECT for that connection and No general logs so I made this query, and worked for me.

    let startdt=datetime(11/29/2023, 09:59:00.000 AM);
    let enddt=datetime(11/29/2023, 10:55:00.000 AM);
    let connect= (AzureDiagnostics
    | where ResourceProvider =="MICROSOFT.DBFORMYSQL"
    and Category == 'MySqlAuditLogs' and event_class_s == "connection_log" and ( event_subclass_s == 'CONNECT')
    and TimeGenerated > startdt and TimeGenerated < enddt
    | project TimeGenerated, event_class_s, event_subclass_s, user_s , ip_s , connection_id_d, db_s);
    let disconnect= (AzureDiagnostics
    | where ResourceProvider =="MICROSOFT.DBFORMYSQL"
    and Category == 'MySqlAuditLogs' and event_class_s == "connection_log" and ( event_subclass_s == 'DISCONNECT')
    and TimeGenerated > startdt and TimeGenerated < enddt
    | project TimeGenerated, event_class_s, event_subclass_s, user_s , ip_s , connection_id_d, db_s);
    let connection_log = (connect | join kind=leftanti disconnect on connection_id_d | order by connection_id_d);
    let general_log = (AzureDiagnostics
    | where ResourceProvider =="MICROSOFT.DBFORMYSQL"
    and Category == 'MySqlAuditLogs' and event_class_s == "general_log"
    and TimeGenerated > startdt and TimeGenerated < enddt
    | project TimeGenerated, event_class_s, event_subclass_s, user_s , ip_s , thread_id_d, db_s);
    connection_log | join kind=leftanti general_log on $left.connection_id_d == $right.thread_id_d | order by connection_id_d
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.