Question 110 of 1,170
Monitor and Maintain Azure ResourceshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is a Log Analytics workspace. This Azure resource is the correct choice because it serves as the centralized repository that ingests performance counters and event logs from Azure virtual machines through the Azure Monitor agent, allowing you to collect performance counters and event logs from VMs and query the data using Kusto Query Language (KQL) for real-time analysis across multiple machines. On the AZ-104 exam, this tests your understanding of monitoring and logging architecture, often appearing in scenario-based questions where you must distinguish between a Log Analytics workspace, Azure Storage accounts, and Event Hubs—a common trap is selecting Azure Storage for log collection, but only a Log Analytics workspace enables native KQL queries. Remember the memory tip: “Logs go to Logs Analytics” to keep KQL queryable data straight from raw storage.

AZ-104 Monitor and Maintain Azure Resources Practice Question

This AZ-104 practice question tests your understanding of monitor and maintain azure resources. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You need to collect performance counters and event logs from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A Log Analytics workspace

A Log Analytics workspace is the correct Azure resource because it ingests performance counters and event logs from Azure virtual machines via the Azure Monitor agent or the legacy Log Analytics agent, and stores them in a centralized repository. You can then query this data using Kusto Query Language (KQL) to perform real-time analysis, troubleshooting, and reporting across multiple VMs.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A Log Analytics workspace

    Why this is correct

    A Log Analytics workspace is the central platform for Azure Monitor Logs and KQL queries.

    Related concept

    Read the scenario before looking for a memorised answer.

  • A Recovery Services vault

    Why it's wrong here

    A Recovery Services vault is used for backup and recovery rather than log analytics.

  • Azure Network Watcher

    Why it's wrong here

    Network Watcher focuses on network diagnostics, not general centralized log analytics.

  • A load balancer

    Why it's wrong here

    A load balancer distributes traffic and does not store logs for KQL analysis.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse Azure Monitor with Azure Backup or network monitoring tools, mistakenly thinking a Recovery Services vault or Network Watcher can store and query log data, when in fact only a Log Analytics workspace provides the centralized KQL-based querying capability for performance counters and event logs.

Detailed technical explanation

How to think about this question

Under the hood, the Log Analytics workspace uses a dedicated data ingestion pipeline where the Azure Monitor agent (AMA) collects data using Data Collection Rules (DCRs) that define which performance counters (e.g., CPU, memory, disk) and event logs (e.g., System, Application, Security) to collect. The data is stored in a clustered, columnar store optimized for KQL queries, enabling fast aggregation and filtering across terabytes of log data. In a real-world scenario, you might configure a DCR to collect specific performance counters every 60 seconds and Windows Event ID 4625 (failed logon) events, then use KQL to correlate failed logins with high CPU usage across a fleet of VMs.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Monitor and Maintain Azure Resources — This question tests Monitor and Maintain Azure Resources — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A Log Analytics workspace — A Log Analytics workspace is the correct Azure resource because it ingests performance counters and event logs from Azure virtual machines via the Azure Monitor agent or the legacy Log Analytics agent, and stores them in a centralized repository. You can then query this data using Kusto Query Language (KQL) to perform real-time analysis, troubleshooting, and reporting across multiple VMs.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data by using Kusto Query Language. Which Azure resource should you use?

hard
  • A.A Log Analytics workspace
  • B.A Recovery Services vault
  • C.Azure Network Watcher
  • D.A load balancer

Why A: A Log Analytics workspace is the correct Azure resource for collecting Windows event logs and performance counters from Azure VMs and querying them using Kusto Query Language (KQL). It serves as the central repository where diagnostic data is ingested via the Azure Diagnostics extension or the Log Analytics agent, enabling rich log analytics and custom KQL queries.

Variation 2. You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?

hard
  • A.A Log Analytics workspace
  • B.A Recovery Services vault
  • C.Azure Network Watcher
  • D.A load balancer

Why A: A Log Analytics workspace is the correct resource because it serves as the central repository for collecting diagnostic data such as Windows event logs and performance counters from Azure VMs. Once collected, you can query this data using Kusto Query Language (KQL) to perform advanced analysis and monitoring. This aligns directly with the requirement to centrally query the data using KQL.

Variation 3. You need to collect guest operating system performance counters and Windows event logs from several Azure virtual machines into a central queryable platform. Which Azure component should you configure?

medium
  • A.A Log Analytics workspace
  • B.A Recovery Services vault
  • C.An Azure Policy initiative
  • D.A route table

Why A: A Log Analytics workspace is the correct Azure component for collecting guest OS performance counters and Windows event logs from Azure VMs. It serves as a central repository where diagnostic data from Azure Monitor agents (such as the Log Analytics agent or Azure Monitor Agent) is ingested, stored, and made available for querying via Kusto Query Language (KQL). This enables you to analyze performance metrics and event logs across multiple VMs in a unified, queryable platform.

Variation 4. Your operations team wants to query collected VM log data by using Kusto Query Language and retain it centrally for analysis. Which Azure resource should you deploy?

medium
  • A.A Log Analytics workspace
  • B.An availability set
  • C.A local user account on each VM
  • D.A network security group

Why A: A Log Analytics workspace is the correct Azure resource because it serves as the central repository for VM log data collected via Azure Monitor agents. It supports Kusto Query Language (KQL) for querying and analyzing the collected data, enabling the operations team to perform advanced log analytics and retention. This aligns directly with the requirement to query and retain VM log data centrally.

Variation 5. Your company wants to query performance and event data from multiple Azure virtual machines by using Kusto Query Language. The operations team also wants to centralize retention and analysis of this data. What should you deploy?

hard
  • A.A Log Analytics workspace.
  • B.Azure Advisor.
  • C.Azure Network Watcher only.
  • D.A network security group.

Why A: A Log Analytics workspace is the correct choice because it is the central repository in Azure Monitor for collecting telemetry and log data from Azure virtual machines. It supports Kusto Query Language (KQL) for querying performance and event data, and it provides centralized retention, analysis, and alerting capabilities, meeting both requirements.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.