You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?
A Log Analytics workspace stores and enables KQL querying of collected monitoring data.
Why this answer
A Log Analytics workspace is the correct resource because it serves as the central repository for collecting diagnostic data such as Windows event logs and performance counters from Azure VMs. Once collected, you can query this data using Kusto Query Language (KQL) to perform advanced analysis and monitoring. This aligns directly with the requirement to centrally query the data using KQL.
Exam trap
The trap here is that candidates often confuse a Log Analytics workspace with a Recovery Services vault because both involve data storage, but the vault is strictly for backup/recovery data, not for operational log analytics.
How to eliminate wrong answers
Option B is wrong because a Recovery Services vault is designed for backup and disaster recovery scenarios, such as Azure Backup and Azure Site Recovery, not for collecting and querying operational logs or performance counters. Option C is wrong because Azure Network Watcher provides network-level monitoring and diagnostics tools (e.g., packet capture, NSG flow logs, connection troubleshoot) but does not ingest Windows event logs or performance counters for KQL-based querying. Option D is wrong because a load balancer distributes incoming network traffic across backend resources and does not have any capability to collect or store log data for querying with KQL.