This chapter covers Azure Monitor and Log Analytics, the core monitoring services in Azure. For the AZ-104 exam, approximately 10-15% of questions relate to monitoring, including configuring alerts, analyzing logs, and setting up diagnostic settings. You will be tested on how to collect, query, and act on telemetry from Azure resources. Mastering this chapter is essential for passing the exam and for real-world administration.
Jump to a section
Imagine you are the facilities manager for a large office building. The building has a central security system (Azure Monitor) that collects data from various sensors: motion detectors, door sensors, smoke alarms, and security cameras. Each sensor sends its data to a central panel (Log Analytics workspace), where events are logged and analyzed. The system can trigger alerts: if a smoke alarm goes off, it can automatically notify the fire department and unlock emergency exits. If a door is opened after hours, it logs the event and sends an alert to security. The system also allows you to query historical data—like 'how many times was the back door opened last Tuesday?'—using a search tool (Kusto Query Language). Just as the security system integrates with other building systems (HVAC, lighting), Azure Monitor integrates with Azure services to collect metrics, logs, and alerts. The key is that the system is centralized: you don't check each sensor individually; you use the central panel to see the health of the entire building. In Azure, Monitor is that central panel for your cloud resources.
What is Azure Monitor?
Azure Monitor is the comprehensive monitoring service for Azure. It collects, analyzes, and acts on telemetry from Azure resources, on-premises environments, and other clouds. It provides a single pane of glass for metrics, logs, and alerts.
Why Azure Monitor Exists
Without a centralized monitoring solution, administrators would have to manually check each resource's health, leading to delayed detection of issues. Azure Monitor automates this by aggregating data, setting thresholds, and triggering actions. It enables proactive management, cost optimization, and security compliance.
How It Works Internally
Azure Monitor collects two primary types of data: - Metrics: Numerical values representing resource health (e.g., CPU percentage, disk IOPS). They are lightweight and near real-time (1-minute granularity). Metrics are stored for 93 days by default. - Logs: Text-based events (e.g., error logs, audit trails). Logs are sent to a Log Analytics workspace where they can be queried using Kusto Query Language (KQL). Retention is configurable from 30 to 730 days (or 2 years with pay-as-you-go).
Data flows as follows: 1. Collection: Resources emit telemetry via diagnostic settings (for Azure resources) or agents (for VMs). The Azure Monitor agent collects data from VMs, including performance counters and events. 2. Storage: Metrics are stored in the Azure Monitor metrics database (time-series). Logs are stored in Log Analytics workspaces (structured tables). 3. Analysis: You can view metrics in Metrics Explorer, query logs in Log Analytics, or use pre-built dashboards. 4. Alerting: Alert rules evaluate data at regular intervals (e.g., every 5 minutes) and trigger actions (e.g., email, webhook, ITSM) when conditions are met. 5. Visualization: Data can be visualized in Azure Workbooks or exported to Power BI.
Key Components, Values, Defaults, and Timers
Log Analytics Workspace: A container for log data. Each workspace has a unique ID and keys. Default retention: 30 days for free tier, 31 days for paid tiers (configurable up to 730 days).
Diagnostic Settings: Configured per resource to send metrics and logs to a storage account, event hub, or Log Analytics workspace. You can enable 'Resource specific' or 'Azure diagnostics' mode.
Azure Monitor Agent: Replaces the legacy Log Analytics agent and Diagnostics extension. Supports Windows and Linux VMs. Collects data into tables (e.g., Perf, Event, Syslog).
Metrics: 93-day retention for standard metrics. Some metrics (e.g., custom metrics) may have shorter retention.
Alerts: Three types: Metric alerts (threshold-based), Log alerts (KQL query-based), Activity log alerts (for service health changes). Frequency: can be set as low as 1 minute for metric alerts.
Action Groups: Define actions like email, SMS (max 10 SMS per hour per number), webhook, ITSM integration. SMS: 1 SMS per 5 minutes per number.
Workbooks: Interactive dashboards combining metrics and logs. Can be shared via Azure RBAC.
Configuration and Verification Commands
To create a Log Analytics workspace using Azure CLI:
az monitor log-analytics workspace create --resource-group myRG --workspace-name myWorkspaceTo create a diagnostic setting:
az monitor diagnostic-settings create --resource <resource-id> --name myDiagSetting --workspace <workspace-id> --metrics '[{"category": "AllMetrics", "enabled": true}]' --logs '[{"category": "AuditLog", "enabled": true}]'To query logs using KQL in Log Analytics:
AzureActivity
| where TimeGenerated > ago(1h)
| where OperationName == "Delete Virtual Machine"
| project TimeGenerated, Caller, ResourceTo create a metric alert:
az monitor metrics alert create --name "High CPU" --resource-group myRG --scaleset <vmss-id> --condition "avg Percentage CPU > 80" --action-group <action-group-id>Interaction with Related Technologies
Azure Service Health: Provides alerts for service issues and planned maintenance. Integrates with Monitor via activity log alerts.
Azure Sentinel: A SIEM built on Log Analytics. Uses the same workspace but adds threat detection.
Azure Automation: Can trigger runbooks from alerts (e.g., auto-scale VMs when CPU high).
Azure Dashboards: Can pin metric charts and log queries from Monitor.
Azure Policy: Can enforce diagnostic settings on resources to ensure monitoring is enabled.
1. Create a Log Analytics Workspace
In the Azure portal, navigate to 'Log Analytics workspaces' and click 'Create'. Provide a unique name, select a region (choose the same region as your resources to minimize data transfer costs), and choose the pricing tier (Pay-as-you-go is typical for production). After creation, note the workspace ID and primary key—these are needed for agent configuration. The workspace acts as the central repository for all log data. Default retention is 31 days; you can change this in the Usage and estimated costs settings.
2. Configure Diagnostic Settings
For each Azure resource (e.g., VM, App Service, SQL Database), go to 'Diagnostic settings' under the Monitoring section. Click 'Add diagnostic setting', give it a name, and select the categories of logs and metrics you want to collect. You can send data to a Log Analytics workspace, storage account, or event hub. For exam purposes, remember that enabling 'AllMetrics' is common. For VMs, you must install the Azure Monitor agent; diagnostic settings alone don't capture guest OS metrics.
3. Install Azure Monitor Agent on VMs
For VMs, you need the Azure Monitor agent to collect guest-level data (performance counters, event logs, syslog). In the portal, go to the VM, select 'Extensions + applications', click 'Add', and choose 'Azure Monitor Agent'. Configure the data collection rules (DCR) to specify what data to collect, e.g., CPU, memory, disk, Windows events (Application, System, Security). The agent sends data to the Log Analytics workspace defined in the DCR. Verify installation by checking the agent status in the VM's extensions blade.
4. Create Metric Alerts
Go to 'Alerts' under Azure Monitor, click 'Create' -> 'Alert rule'. Select the target resource (e.g., VM, VMSS). Choose a signal like 'CPU Percentage'. Set the condition, e.g., 'Average greater than 80% for 5 minutes'. Configure the action group: define who gets notified (email, SMS) or what automation runs (webhook, runbook). Metric alerts evaluate every minute and can fire multiple times if condition persists. Use 'Frequency of evaluation' to control how often the alert checks.
5. Query Logs with KQL
In Log Analytics workspace, click 'Logs'. A query editor opens. Write KQL queries to filter, aggregate, and analyze log data. For example, to see failed logins on a Windows VM: `SecurityEvent | where EventID == 4625 | summarize Count=count() by Account`. Use the time range selector to limit results. You can save queries, create charts, and pin them to dashboards. KQL is case-sensitive; remember to use proper operators like `| where`, `| project`, `| summarize`.
Scenario 1: Monitoring a Production Web Application
A company runs a multi-tier web application on Azure VMs and App Services. They use Azure Monitor to collect metrics (CPU, memory, request rate) and logs (application errors, IIS logs). They create metric alerts for high CPU (>90%) and log alerts for error spikes (e.g., >100 HTTP 500 errors in 5 minutes). Action groups send emails to the DevOps team and trigger an Azure Automation runbook that scales out the VMSS. The Log Analytics workspace retains data for 90 days for troubleshooting. Common issues: misconfigured diagnostic settings (missing categories), incorrect KQL queries returning no data, and alert fatigue from overly sensitive thresholds.
Scenario 2: Security and Compliance Monitoring
A financial services firm must audit all administrative actions. They enable diagnostic settings on all Azure resources to send Activity Logs to a Log Analytics workspace. They create activity log alerts for resource deletions and role assignments. They also collect security events from VMs (Windows Event ID 4625 for failed logins) using the Azure Monitor agent. They use workbooks to create compliance dashboards showing unauthorized access attempts. Performance considerations: high-volume logs can increase costs; they set retention to 30 days for verbose logs and 1 year for security logs. Misconfiguration: forgetting to enable 'AuditLogs' category in diagnostic settings leads to missing data.
Scenario 3: Hybrid Monitoring with On-Premises Servers
An enterprise has on-premises servers running Windows and Linux. They use the Azure Monitor agent to send data to Azure Log Analytics (via Azure Arc or direct internet). They create custom metrics from log queries and set alerts for disk space < 10%. They use Azure workbooks to combine on-prem and cloud metrics. Scale considerations: each agent generates ~1-2 GB per month; they plan workspace capacity accordingly. Common pitfalls: firewall blocks outbound HTTPS to Azure, agent not configured with correct workspace key, and time zone mismatches in logs.
Objective Codes: AZ-104 exam objective 5.1 covers 'Monitor resources by using Azure Monitor', including configuring diagnostic settings, collecting logs, creating alerts, and analyzing metrics/logs.
Common Wrong Answers: 1. 'You can collect guest OS metrics without an agent' – FALSE. You need the Azure Monitor agent (or legacy Log Analytics agent) to collect guest-level data. Diagnostic settings only collect platform metrics. 2. 'Log Analytics workspace retention is fixed at 30 days' – FALSE. Default is 31 days for paid tiers, but you can configure up to 730 days. 3. 'Metric alerts can only evaluate every 5 minutes' – FALSE. Metric alerts can evaluate as frequently as every 1 minute (frequency is configurable). 4. 'Activity log alerts require a Log Analytics workspace' – FALSE. Activity log alerts are independent; they evaluate Azure activity log events directly without needing a workspace.
Specific Numbers and Terms:
- Retention: 31 days default (paid), 30 days free, max 730 days.
- Metric alert evaluation frequency: min 1 minute.
- SMS limit: 1 SMS per 5 minutes per number.
- Action group email: up to 1000 emails per hour per action group.
- KQL: | where, | project, | summarize, | extend.
- Diagnostic settings categories: 'AllMetrics', 'AuditLogs', 'SecurityLogs'.
Edge Cases:
- If you delete a Log Analytics workspace, all data is permanently lost.
- You can have multiple diagnostic settings per resource, but each can only send to one destination per setting.
- Cross-workspace queries are possible using workspace('workspaceID').TableName.
Eliminating Wrong Answers: - If the question asks about collecting OS-level metrics from a VM, the answer must involve an agent (Azure Monitor agent or Log Analytics agent). - If the question mentions 'real-time' or 'sub-minute' alerting, metric alerts can do 1-minute frequency; log alerts have a minimum 5-minute frequency. - If the question asks about storing logs for compliance (e.g., 1 year), you need to configure workspace retention to 365 days.
Azure Monitor collects metrics (93-day retention) and logs (configurable retention up to 730 days).
Diagnostic settings must be enabled per resource to send data to Log Analytics, storage, or event hubs.
Guest OS monitoring requires the Azure Monitor agent (or legacy Log Analytics agent).
Metric alerts evaluate as fast as every 1 minute; log alerts minimum 5 minutes.
Action groups define notification actions (email, SMS, webhook, ITSM). SMS limited to 1 per 5 minutes per number.
Kusto Query Language (KQL) is used to query Log Analytics workspaces.
Default Log Analytics workspace retention is 31 days for paid tiers; max 730 days.
Activity log alerts do not need a Log Analytics workspace; they alert on Azure activity log events directly.
These come up on the exam all the time. Here's how to tell them apart.
Metric Alerts
Based on numeric metric values (e.g., CPU > 80%)
Evaluation frequency as low as 1 minute
No KQL query needed; simple threshold conditions
Low latency (near real-time)
Cannot analyze log patterns or text data
Log Alerts
Based on KQL queries over log data
Evaluation frequency min 5 minutes (due to query execution)
Requires writing KQL queries
Higher latency (several minutes)
Can detect patterns, count events, or analyze text
Mistake
Azure Monitor automatically collects all logs from all resources.
Correct
No. You must explicitly configure diagnostic settings for each resource to send logs to Log Analytics. Some logs (like guest OS logs) require an agent.
Mistake
Log Analytics workspace retention can be set to any value up to 10 years.
Correct
Maximum retention is 730 days (2 years). For longer retention, you must export data to Azure Storage or archive to Azure Archive Storage.
Mistake
Metric alerts are always faster than log alerts.
Correct
Metric alerts can evaluate every 1 minute, while log alerts have a minimum frequency of 5 minutes (due to query execution time). However, metric alerts cannot detect patterns in logs, only numeric thresholds.
Mistake
You can use Azure Monitor to monitor on-premises servers without any agent.
Correct
An agent (Azure Monitor agent or Log Analytics agent) is required to collect data from on-premises servers. You can use Azure Arc to manage the agent centrally.
Mistake
Activity log alerts require a Log Analytics workspace.
Correct
Activity log alerts are independent of workspaces. They evaluate Azure activity log events directly and can trigger actions without Log Analytics.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You need to install the Azure Monitor agent (or the legacy Log Analytics agent) on the VM. The agent sends performance counters and event logs to a Log Analytics workspace. For Windows VMs, you can also use the Diagnostics extension, but the Azure Monitor agent is the recommended approach. After installation, configure Data Collection Rules (DCR) to specify which metrics and logs to collect.
A metric alert triggers based on a numeric threshold (e.g., CPU > 90%) and can evaluate every 1 minute. A log alert runs a KQL query at intervals (minimum 5 minutes) and triggers if the query returns results. Use metric alerts for real-time performance issues and log alerts for pattern detection or complex conditions.
Default retention is 31 days for paid tiers and 30 days for free tier. You can configure retention up to 730 days (2 years) per workspace. For longer retention, you can export logs to Azure Storage or archive to Azure Archive Storage.
Yes, you can configure the Azure Monitor agent to send data to multiple workspaces by adding multiple data collection rules or by using the workspace ID and key for each workspace. However, each agent can only have one configuration file; you need to use the Azure Monitor Agent's multi-homing support.
An action group is a collection of notification actions (email, SMS, webhook, ITSM, Automation runbook) that are triggered by an alert. You create an action group once and reuse it across multiple alerts. For example, you can create an action group that sends an email to the on-call team and triggers a webhook to a third-party ticketing system.
Use Kusto Query Language (KQL). For example, to see all errors in the last hour: `AzureDiagnostics | where TimeGenerated > ago(1h) | where Level == 'Error'`. You can use operators like `| where`, `| project`, `| summarize`, `| extend`. The Log Analytics workspace provides a query editor with autocomplete and syntax highlighting.
Log Analytics charges per GB of data ingested and per GB of data retained beyond the free tier (5 GB per month free). There are also costs for data export and for using the Azure Monitor agent. You can estimate costs using the Azure Pricing Calculator.
You've just covered Azure Monitor and Log Analytics — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?