Monitor Azure Event Hubs
When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This article describes the monitoring data generated by Azure Event Hubs and how to analyze and alert on this data with Azure Monitor.
What is Azure Monitor?
Azure Event Hubs creates monitoring data using Azure Monitor, which is a full stack monitoring service in Azure. Azure Monitor provides a complete set of features to monitor your Azure resources. It can also monitor resources in other clouds and on-premises.
Start with the article Monitoring Azure resources with Azure Monitor, which describes the following concepts:
- What is Azure Monitor?
- Costs associated with monitoring
- Monitoring data collected in Azure
- Configuring data collection
- Standard tools in Azure for analyzing and alerting on monitoring data
The following sections build on this article by describing the specific data gathered for Azure Event Hubs. These sections also provide examples for configuring data collection and analyzing this data with Azure tools.
Monitoring data from Azure Event Hubs
Azure Event Hubs collects the same kinds of monitoring data as other Azure resources that are described in Monitoring data from Azure resources.
See Azure Event Hubs monitoring data reference for a detailed reference of the logs and metrics created by Azure Event Hubs.
Collection and routing
Platform metrics and the activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.
Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.
See Create diagnostic setting to collect platform logs and metrics in Azure for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure Event Hubs are listed in Azure Event Hubs monitoring data reference.
Azure Monitor doesn't include dimensions in the exported metrics data, that's sent to a destination like Azure Storage, Azure Event Hubs, Log Analytics, etc.
If you use Azure Storage to store the diagnostic logging information, the information is stored in containers named insights-logs-operationlogs and insights-metrics-pt1m. Sample URL for an operation log:
https://<Azure Storage account>.blob.core.windows.net/insights-logs-operationallogs/resourceId=/SUBSCRIPTIONS/<Azure subscription ID>/RESOURCEGROUPS/<Resource group name>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<Namespace name>/y=<YEAR>/m=<MONTH-NUMBER>/d=<DAY-NUMBER>/h=<HOUR>/m=<MINUTE>/PT1H.json. The URL for a metric log is similar.
Azure Event Hubs
If you use Azure Event Hubs to store the diagnostic logging information, the information is stored in Event Hubs instances named insights-logs-operationlogs and insights-metrics-pt1m. You can also select your own event hub.
If you use Log Analytics to store the diagnostic logging information, the information is stored in tables named AzureDiagnostics and AzureMetrics.
Enabling these settings requires additional Azure services (storage account, event hub, or Log Analytics), which may increase your cost. To calculate an estimated cost, visit the Azure pricing calculator.
When you enable metrics in a diagnostic setting, dimension information is not currently included as part of the information sent to a storage account, event hub, or log analytics.
The metrics and logs you can collect are discussed in the following sections.
You can analyze metrics for Azure Event Hubs, along with metrics from other Azure services, by selecting Metrics from the Azure Monitor section on the home page for your Event Hubs namespace. See Getting started with Azure Metrics Explorer for details on using this tool. For a list of the platform metrics collected, see Monitoring Azure Event Hubs data reference metrics.
For reference, you can see a list of all resource metrics supported in Azure Monitor.
Azure Monitor metrics data is available for 90 days. However, when creating charts only 30 days can be visualized. For example, if you want to visualize a 90 day period, you must break it into three charts of 30 days within the 90 day period.
Filter and split
For metrics that support dimensions, you can apply filters using a dimension value. For example, add a filter with
EntityName set to the name of an event hub. You can also split a metric by dimension to visualize how different segments of the metric compare with each other. For more information of filtering and splitting, see Advanced features of Azure Monitor.
Using Azure Monitor Log Analytics requires you to create a diagnostic configuration and enable Send information to Log Analytics. For more information, see the Collection and routing section. Data in Azure Monitor Logs is stored in tables, with each table having its own set of unique properties. Azure Event Hubs stores data in the following tables: AzureDiagnostics and AzureMetrics.
When you select Logs from the Azure Event Hubs menu, Log Analytics is opened with the query scope set to the current workspace. This means that log queries will only include data from that resource. If you want to run a query that includes data from other databases or data from other Azure services, select Logs from the Azure Monitor menu. See Log query scope and time range in Azure Monitor Log Analytics for details.
For a detailed reference of the logs and metrics, see Azure Event Hubs monitoring data reference.
Sample Kusto queries
When you select Logs from the Azure Event Hubs menu, Log Analytics is opened with the query scope set to the current Azure Event Hubs namespace. This means that log queries will only include data from that resource. If you want to run a query that includes data from other workspaces or data from other Azure services, select Logs from the Azure Monitor menu. See Log query scope and time range in Azure Monitor Log Analytics for details.
Following are sample queries that you can use to help you monitor your Azure Event Hubs resources:
Get errors from the past seven days
AzureDiagnostics | where TimeGenerated > ago(7d) | where ResourceProvider =="MICROSOFT.EVENTHUB" | where Category == "OperationalLogs" | summarize count() by "EventName"
Get runtime audit logs generated in the last one hour.
AzureDiagnostics | where TimeGenerated > ago(1h) | where ResourceProvider =="MICROSOFT.EVENTHUB" | where Category == "RuntimeAuditLogs"
Get access attempts to a key vault that resulted in "key not found" error.
AzureDiagnostics | where ResourceProvider == "MICROSOFT.EVENTHUB" | where Category == "Error" and OperationName == "wrapkey" | project Message
Get operations performed with a key vault to disable or restore the key.
AzureDiagnostics | where ResourceProvider == "MICROSOFT.EVENTHUB" | where Category == "info" and OperationName == "disable" or OperationName == "restore" | project Message
Get capture failures and their duration in seconds
AzureDiagnostics | where ResourceProvider == "MICROSOFT.EVENTHUB" | where Category == "ArchiveLogs" | summarize count() by "failures", "durationInSeconds"
Use runtime logs
Azure Event Hubs allows you to monitor and audit data plane interactions of your client applications using runtime audit logs and application metrics logs.
Using Runtime audit logs you can capture aggregated diagnostic information for all data plane access operations such as publishing or consuming events. Application metrics logs capture the aggregated data on certain runtime metrics (such as consumer lag and active connections) related to client applications are connected to Event Hubs.
Runtime audit logs are available only in premium and dedicated tiers.
Enable runtime logs
You can enable either runtime audit logs or application metrics logs by selecting Diagnostic settings from the Monitoring section on the Event Hubs namespace page in Azure portal. Click on Add diagnostic setting as shown below.
Then you can enable log categories RuntimeAuditLogs or ApplicationMetricsLogs as needed.
Once runtime logs are enabled, Event Hubs will start collecting and storing them according to the diagnostic setting configuration.
Publish and consume sample data
To collect sample runtime audit logs in your Event Hubs namespace, you can publish and consume sample data using client applications which are based on Event Hubs SDK (AMQP) or using any Apache Kafka client application.
Analyze runtime audit logs
You can analyze the collected runtime audit logs using the following sample query.
AzureDiagnostics | where TimeGenerated > ago(1h) | where ResourceProvider == "MICROSOFT.EVENTHUB" | where Category == "RuntimeAuditLogs"
By analyzing these logs you should be able to audit how each client application interacts with Event Hubs. Each field associated with runtime audit logs are defined in runtime audit logs reference.
Analyze application metrics
You can analyze the collected application metrics logs using the following sample query.
AzureDiagnostics | where TimeGenerated > ago(1h) | where Category == "ApplicationMetricsLogs"
Therefore you can use application metrics to monitor runtime metrics such as consumer lag or active connection from a given client application. Each field associated with runtime audit logs are defined in application metrics logs reference.
You can access alerts for Azure Event Hubs by selecting Alerts from the Azure Monitor section on the home page for your Event Hubs namespace. See Create, view, and manage metric alerts using Azure Monitor for details on creating alerts.
Submit and view feedback for