Container group and instance logging with Azure Monitor logs
Article
Log Analytics workspaces provide a centralized location for storing and querying log data not only from Azure resources, but also on-premises resources and resources in other clouds. Azure Container Instances includes built-in support for sending logs and event data to Azure Monitor logs.
To send container group log and event data to Azure Monitor logs, specify an existing Log Analytics workspace ID and workspace key when configuring a container group.
The following sections describe how to create a logging-enabled container group and how to query logs. You can also update a container group with a workspace ID and workspace key to enable logging.
Note
This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.
Prerequisites
To enable logging in your container instances, you need the following prerequisites:
Azure Container Instances needs permission to send data to your Log Analytics workspace. To grant this permission and enable logging, you must provide the Log Analytics workspace ID and one of its keys (either primary or secondary) when you create the container group.
To obtain the log analytics workspace ID and primary key:
Navigate to your Log Analytics workspace in the Azure portal
Under Settings, select Agents management
Take note of:
Workspace ID
Primary key
Create container group
Now that you have the log analytics workspace ID and primary key, you're ready to create a logging-enabled container group.
The following examples demonstrate two ways to create a container group that consists of a single fluentd container: Azure CLI, and Azure CLI with a YAML template. The fluentd container produces several lines of output in its default configuration. Because this output is sent to your Log Analytics workspace, it works well for demonstrating the viewing and querying of logs.
Deploy with Azure CLI
To deploy with the Azure CLI, specify the --log-analytics-workspace and --log-analytics-workspace-key parameters in the az container create command. Replace the two workspace values with the values you obtained in the previous step (and update the resource group name) before running the following command.
Note
The following example pulls a public container image from Docker Hub. We recommend that you set up a pull secret to authenticate using a Docker Hub account instead of making an anonymous pull request. To improve reliability when working with public content, import and manage the image in a private Azure container registry. Learn more about working with public images.
Use this method if you prefer to deploy container groups with YAML. The following YAML defines a container group with a single container. Copy the YAML into a new file, then replace LOG_ANALYTICS_WORKSPACE_ID and LOG_ANALYTICS_WORKSPACE_KEY with the values you obtained in the previous step. Save the file as deploy-aci.yaml.
Note
The following example pulls a public container image from Docker Hub. We recommend that you set up a pull secret to authenticate using a Docker Hub account instead of making an anonymous pull request. To improve reliability when working with public content, import and manage the image in a private Azure container registry. Learn more about working with public images.
Next, execute the following command to deploy the container group. Replace myResourceGroup with a resource group in your subscription (or first create a resource group named "myResourceGroup"):
az container create --resource-group myResourceGroup --name mycontainergroup001 --file deploy-aci.yaml
You should receive a response from Azure containing deployment details shortly after issuing the command.
View logs
After you deploy the container group, it can take several minutes (up to 10) for the first log entries to appear in the Azure portal.
To view the container group's logs in the ContainerInstanceLog_CL table:
Navigate to your Log Analytics workspace in the Azure portal
Under General, select Logs
Type the following query: ContainerInstanceLog_CL | limit 50
Select Run
You should see several results displayed by the query. If at first you don't see any results, wait a few minutes, then select the Run button to execute the query again. By default, log entries are displayed in Table format. You can then expand a row to see the contents of an individual log entry.
View events
You can also view events for container instances in the Azure portal. Events include the time the instance is created and when it starts. To view the event data in the ContainerEvent_CL table:
Navigate to your Log Analytics workspace in the Azure portal
Under General, select Logs
Type the following query: ContainerEvent_CL | limit 50
Select Run
You should see several results displayed by the query. If at first you don't see any results, wait a few minutes, then select the Run button to execute the query again. By default, entries are displayed in Table format. You can then expand a row to see the contents of an individual entry.
Query container logs
Azure Monitor logs includes an extensive query language for pulling information from potentially thousands of lines of log output.
The basic structure of a query is the source table (in this article, ContainerInstanceLog_CL or ContainerEvent_CL) followed by a series of operators separated by the pipe character (|). You can chain several operators to refine the results and perform advanced functions.
To see example query results, paste the following query into the query text box, and select the Run button to execute the query. This query displays all log entries whose "Message" field contains the word "warn":
ContainerInstanceLog_CL
| where Message contains "warn"
More complex queries are also supported. For example, this query displays only those log entries for the "mycontainergroup001" container group generated within the last hour:
ContainerInstanceLog_CL
| where (ContainerGroup_s == "mycontainergroup001")
| where (TimeGenerated > ago(1h))
The newer tables require use of diagnostic settings to route information to Log Analytics. The diagnostic settings feature for Container Instances is in public preview, and it can be enabled through preview features options in the Azure portal.
Learn to create a Log Analytics workspace within the Azure portal, enabling robust data collection and analysis for Microsoft Defender for Cloud to enhance your security posture.
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.