Exercise - Integrate logs with a Log Analytics workspace

  • 10 minutes

In this exercise, you create a Log Analytics workspace in the Azure portal. You then direct the audit and sign-in log files to your Log Analytics workspace. Finally, you use a workbook template to create a workbook that holds a query report.

In this exercise, you'll:

  • Create a Log Analytics workspace.
  • Send log files to your Log Analytics workspace.
  • Use a workbook template to hold a query report.
  • View your saved workbook.

Note

This exercise is optional. If you don't have an Azure account, you can read through the following instructions to understand how to use Log Analytics and workbooks.

If you want to complete this exercise but you don't have an Azure subscription or prefer not to use your own account, you can create a free account before you begin.

Create a Log Analytics workspace

  1. In the Azure portal, select Create a resource.

  2. In the Search box, enter log analytics.

    Screenshot of Log Analytics search results.

  3. In the results list, select Log Analytics Workspace, and then select Create. Select or enter the following details:

    1. Under Project details, select the subscription to use for your workspace. Select an existing resource group or select Create new to create a new resource group.

    2. Under Instance details, enter a name for the workspace. For this exercise, enter ContosoWorkspace and append the name with several characters to create a unique workspace name. For Region, select the location nearest you.

    Screenshot that shows new Log Analytics workspace options.

  4. Select Next : Review + Create >, and then check the settings. The pricing tier is automatically set to Pay-as-you-go and is based on a per-gigabyte (GB) cost.

  5. Select Create.

Send logs to your Log Analytics workspace

To stream the audit and sign-in logs to your Log Analytics workspace:

  1. In the Azure portal, go to your Microsoft Entra instance.

  2. In the left menu under Monitoring, select Diagnostic settings, and then select Add diagnostic setting.

    Screenshot that shows adding a new diagnostic setting.

  3. In the Diagnostic setting pane:

    1. In Diagnostic setting name, enter a name for the setting, like SendToLogAnalytics.
    2. Under Logs > Categories, select AuditLogs and SignInLogs.
    3. Under Destination details, select Send to Log Analytics workspace. Select or enter the subscription and Log Analytics workspace to use. For this exercise, select the Log Analytics workspace you created, ContosoWorkspace appended with unique characters.

    Screenshot that shows the details of a new diagnostic setting.

  4. Select Save.

Use a workbook template to hold a query report

Next, begin with a workbook template to create a workbook that will hold a query report:

  1. In the Azure portal, go to your Log Analytics workspace.

  2. In the left menu under General, select Workbooks.

  3. Select the Default Template tile.

    Screenshot that shows a default workbooks template.

  4. For this exercise, you want to know the most common user event for the past week. In your query editor, paste the following query:

    AuditLogs
| where TimeGenerated >= ago(7d)
| summarize auditCount = count() by OperationName
| sort by auditCount desc

  5. In the menu bar, select Run Query, and then select Done editing:

    Screenshot that shows adding a query to a workbooks template and selecting run.

  6. In the menu bar, select Save.

    Screenshot that shows the Save menu option for a Log Analytics query.

  7. Enter a descriptive name, like Common User Events Last 7 days.

  8. Select or enter the subscription, resource group, and location you want to use. Select Save.

    Screenshot that shows details and the Save button for a Log Analytics query.

View a saved workbook

To view the workbook you saved, still in your Log Analytics workspace, in the left menu under General, select Workbooks. Look for the workbook tile under Recently modified workbooks.

Screenshot that shows how to find modified workbooks.