Ingest Azure Diagnostic logging in Log Analytics (OMS) Part 2


In part 1 we looked at enable diagnostic logging on Azure resources via the Portal or via PowerShell.
Now, let’s get this ingested into Log Analytics!

It’s worth noting that the current, up-to-date documentation is at: https://azure.microsoft.com/en-us/documentation/articles/log-analytics-powershell-azure-diagnostics-json/.

OK for this, I’m assuming you’ve got WMF 5 installed on your machine. If you’ve not (where have you been!?) go to https://www.powershellgallery.com/ & hit the ‘Get WMF 5.0’ button.

Open up an Administrative PowerShell and make sure you’ve got the up to date AzureRM module:

 Install-Module AzureRM

Import the OMS module, making sure you’ve got at least version 1.0.8:

 Import-Module AzureRM.OperationalInsights -MinimumVersion 1.0.8

Login to your Azure Account:

 Login-AzureRmAccount

Run the command to configure the diagnostic into Log Analytics:

 Add-AzureDiagnosticsToLogAnalyticsUI

 

OK OK. Hold up – let’s talk about this Add-AzureDiagnosticsToLogAnalyticsUI cmdlet.
Basically, it’s just like one of those choose your own adventure command line games. Like the ones I used to play on the BBC computer in school… Only this is better 

Add-AzureDiagnosticsToLogAnalyticsUI guides you through ingesting those diagnostic logs into Log Analytics.

Adventure Question 1: Whatcha want to collect?

In part 1, I enabled NSG logging, so let’s grab that by hitting 3:

a1

Adventure Question 2:

OK you can see that it located my NSG and verified diagnostics were turned on. Awesome.
You can see it’s listed out my NSG here & listed it as number 1. If you had more, you’d see them listed here.
To select my NSG diagnostics to ingest into Log Analytics, I’ll hit 1:

a2

Adventure Question 3:

Which Log Analytics workspace? I’ve only got one on this Azure Subscription, so it’s listed here.
If you have a few, you can select which one the logging will be ingested into:

a3

OK – that’s it! You’re done:

a4

Great – that was too easy right!? All you need to do now is get a cup of tea & after a little bit, you’ll see that diagnostic data show up in Log Analytics!

OK now I had a cuppa, I’ve gone to my Log Analytics portal & clicked Search. I’m going to enter the query to see all the stuff: *

a5

Sweet!! Under ‘TYPE’ I can now see NetworkSecuritygroups.
I’m going to select it & click apply to make the query: * (Type=NetworkSecuritygroups)

a6

Et voila! Here ya go!
Note you can see the 2 categories of logging here too, so you can filter down & all that stuff!

You can now do all the normal Log Analytics goodness, like filtering, custom fields, alerting, remediation, saving, queries and building kickass dashboards!

a7

Comments (1)

  1. David Burg says:

    Import-Module AzureRM.OperationalInsights -MinimumVersion 1.0.8 was not sufficient for me to get Add-AzureDiagnosticsToLogAnalytics to work (error: The term 'Add-AzureDiagnosticsToLogAnalytics' is not recognized...) I had to also run first Install-Module -Name AzureDiagnosticsAndLogAnalytics

Skip to main content