Tutorial: Create a log query alert for an Azure resource
Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. Log query alert rules create an alert when a log query returns a particular result. For example, receive an alert when a particular event is created on a virtual machine, or send a warning when excessive anonymous requests are made to a storage account.
In this tutorial, you learn how to:
- Access prebuilt log queries designed to support alert rules for different kinds of resources
- Create a log query alert rule
- Create an action group to define notification details
To complete this tutorial you need the following:
- An Azure resource to monitor. You can use any resource in your Azure subscription that supports diagnostic settings. To determine whether a resource supports diagnostic settings, go to its menu in the Azure portal and verify that there's a Diagnostic settings option in the Monitoring section of the menu.
If you're using any Azure resource other than a virtual machine:
- A diagnostic setting to send the resource logs from your Azure resource to a Log Analytics workspace. See Tutorial: Create Log Analytics workspace in Azure Monitor.
If you're using an Azure virtual machine:
- A data collection rule to send guest logs and metrics to a Log Analytics workspace. See Tutorial: Collect guest logs and metrics from Azure virtual machine.
Select a log query and verify results
Data is retrieved from a Log Analytics workspace using a log query written in Kusto Query Language (KQL). Insights and solutions in Azure Monitor will provide log queries to retrieve data for a particular service, but you can work directly with log queries and their results in the Azure portal with Log Analytics.
Select Logs from your resource's menu. Log Analytics opens with the Queries window that includes prebuilt queries for your Resource type. Select Alerts to view queries specifically designed for alert rules.
If the Queries window doesn't open, click Queries in the top right.
Select a query and click Run to load it in the query editor and return results. You may want to modify the query and run it again. For example, the Show anonymous requests query for storage accounts is shown below. You may want to modify the AuthenticationType or filter on a different column.
Create alert rule
Once you verify your query, you can create the alert rule. Select New alert rule to create a new alert rule based on the current log query. The Scope will already be set to the current resource. You don't need to change this value.
On the Condition tab, the Log query will already be filled in. The Measurement section defines how the records from the log query will be measured. If the query doesn't perform a summary, then the only option will be to Count the number of Table rows. If the query includes one or more summarized columns, then you'll have the option to use number of Table rows or a calculation based on any of the summarized columns. Aggregation granularity defines the time interval over which the collected values are aggregated.
Split by dimensions allows you to create separate alerts for different resources. This setting is useful when you're creating an alert rule that applies to multiple resources. With the scope set to a single resource, this setting typically isn't used.
If you need a certain dimension(s) included in the alert notification email, you can specify a dimension (e.g. "Computer"), the alert notification email will include the computer name that triggered the alert. The alerting engine uses the alert query to determine the available dimensions. If you do not see the dimension you want in the drop-down list for the "Dimension name", it is because the alert query does not expose that column in the results. You can easily add the dimensions you want by adding a Project line to your query that includes the columns you want to use. You can also use the Summarize line to add additional columns to the query results.
Configure alert logic
In the alert logic, configure the Operator and Threshold value to compare to the value returned from the measurement. An alert is created when this value is true. Select a value for Frequency of evaluation which defines how often the log query is run and evaluated. The cost for the alert rule increases with a lower frequency. When you select a frequency, the estimated monthly cost is displayed in addition to a preview of the query results over a time period.
For example, if the measurement is Table rows, the alert logic may be Greater than 0 indicating that at least one record was returned. If the measurement is a columns value, then the logic may need to be greater than or less than a particular threshold value. In the example below, the log query is looking for anonymous requests to a storage account. If an anonymous request has been made, then we should trigger an alert. In this case, a single row returned would trigger the alert, so the alert logic should be Greater than 0.
Action groups define a set of actions to take when an alert is fired such as sending an email or an SMS message.
Click Add action groups to add one to the alert rule.
If you don't already have an action group in your subscription to select, then click Create action group to create a new one.
Select a Subscription and Resource group for the action group and give it an Action group name that will appear in the portal and a Display name that will appear in email and SMS notifications.
Select the Notifications tab and add one or more methods to notify appropriate people when the alert is fired.
Configure different settings for the alert rule in the Alert rule details section.
- Alert rule name which should be descriptive since it will be displayed when the alert is fired.
- Optionally provide a Description that's included in the details of the alert.
- Subscription and Resource group where the alert rule will be stored. This doesn't need to be in the same resource group as the resource that you're monitoring.
- Severity for the alert. The severity allows you to group alerts with a similar relative importance. A severity of Error is appropriate for an unresponsive virtual machine.
- Keep the box checked to Enable alert upon creation.
- Keep the box checked to Automatically resolve alerts. This will make the alert stateful, which means that the alert is resolved when the condition isn't met anymore.
Click Create alert rule to create the alert rule.
View the alert
When an alert fires, it will send any notifications in its action groups. You can also view the alert in the Azure portal.
Select Alerts from the resource's menu. If there are any open alerts for the resources, they will be included in the view.
Click on a severity to show the alerts with that severity. Select the Alert state and unselect Closed to view only open alerts.
Click on the name of an alert to view its detail.
Now that you've learned how to create a log query alert for an Azure resource, have a look at workbooks for creating interactive visualizations of monitoring data.