Create, view, and manage log alerts using Azure Monitor

Overview

This article shows you how to create and manage log alerts. Azure Monitor log alerts allow users to use a Log Analytics query to evaluate resource logs at a set frequency and fire an alert based on the results. Rules can trigger one or more actions using Action Groups. Learn more about functionality and terminology of log alerts.

Alert rules are defined by three components:

Note

This page explains all of the concepts behind each setting used when setting up a log alert rule.

Create a log alert rule in the Azure portal

Note

This article describes creating alert rules using the new alert rule wizard. Please note these changes in the new alert rule experience:

  • Search results are not included with the triggered alert and its associated notifications. The alert contains a link to the search results in Logs.
  • The new alert rule wizard does not include the option to customize the triggered alert's email or to include a custom JSON payload.
  1. In the portal, select the relevant resource.

  2. In the Resource menu, under Monitoring, select Alerts.

  3. From the top command bar, click Create, and then Alert rule.

    Create new alert rule.

  4. The Create alert rule wizard opens to the Select a signal page of the Condition tab, with the scope already defined based on the resource you selected.

    Select signal.

  5. Click on the Custom log search signal.

  6. Write a query to identify the conditions for triggering alerts. You can use the alert query examples topic to understand what you can discover or get started on writing your own query. Also, learn how to create optimized alert queries.

  7. Click Run to confirm that the query correctly identifies the data you want to alert on.

    Query results.

  8. Once you have successfully finished writing your query, click Continue Editing Alert.

  9. The Condition tab opens, populated with your log query.

    Conditions Tab.

  10. In the Measurement section, select values for the Measure, Aggregation type, and Aggregation granularity fields.

    • By default, the rule counts the number of results in the last 5 minutes.
    • If the system detects summarized query results, the rule is automatically updated to capture that.

    Measurements.

  11. (Optional) In the Split by dimensions section, select alert splitting by dimensions:

    • If detected, The Resource ID column is selected automatically and changes the context of the fired alert to the record's resource.
    • Clear the Resource ID column to fire alerts on multiple resources in subscriptions or resource groups. For example, you can create a query that checks if 80% of the resource group's virtual machines are experiencing high CPU usage.
    • You can use the dimensions table to select up to six more splittings for any number or text columns types.
    • Alerts are fired individually for each unique splitting combination. The alert payload includes the combination that triggered the alert.
  12. In the Alert logic section, set the Alert logic: Operator, Threshold Value, and Frequency.

    Preview alert rule parameters.

  13. (Optional) In the Advanced options section, set the Number of violations to trigger the alert.

    Advanced options.

  14. The Preview chart shows query evaluations results over time. You can change the chart period or select different time series that resulted from unique alert splitting by dimensions.

    Alert rule preview.

  15. From this point on, you can select the Review + create button at any time.

  16. In the Actions tab, select or create the required action groups.

    Actions tab.

  17. In the Details tab, define the Project details and the Alert rule details.

  18. (Optional) In the Advanced options section, you can set several options, including whether to Enable upon creation, or to Mute actions for a period after the alert rule fires.

    Details tab.

  19. In the Tags tab, set any required tags on the alert rule resource.

    Tags tab.

  20. In the Review + create tab, a validation will run and inform you of any issues.

  21. When validation passes and you have reviewed the settings, click the Create button.

    Review and create tab.

Note

We recommend that you create alerts at scale when using resource access mode for log running on multiple resources using a resource group or subscription scope. Alerting at scale reduces rule management overhead. To be able to target the resources, include the resource ID column in the results. Learn more about splitting alerts by dimensions.

Manage alert rules in the Alerts portal

Note

This article describes how to manage alert rules created in the latest UI or using an API version later than 2018-04-16. See View and manage alert rules created in previous versions for information about how to view and manage alert rules created in the previous UI.

  1. In the portal, select the relevant resource.
  2. Under Monitoring, select Alerts.
  3. From the top command bar, select Alert rules.
  4. Select the alert rule that you want to edit.
  5. Edit any fields necessary, then select Save on the top command bar.

Manage log alerts using CLI

This section describes how to manage log alerts using the cross-platform Azure CLI. Quickest way to start using Azure CLI is through Azure Cloud Shell. For this article, we'll use Cloud Shell.

Note

Azure CLI support is only available for the scheduledQueryRules API version 2021-08-01 and later. Previous API versions can use the Azure Resource Manager CLI with templates as described below. If you use the legacy Log Analytics Alert API, you will need to switch to use CLI. Learn more about switching.

  1. In the portal, select Cloud Shell.
  2. At the prompt, you can use commands with --help option to learn more about the command and how to use it. For example, the following command shows you the list of commands available for creating, viewing, and managing log alerts:
    az monitor scheduled-query --help
    
  3. You can create a log alert rule that monitors count of system event errors:
    az monitor scheduled-query create -g {ResourceGroup} -n {nameofthealert} --scopes {vm_id} --condition "count \'union Event, Syslog | where TimeGenerated > ago(1h) | where EventLevelName == \"Error\" or SeverityLevel== \"err\"\' > 2" --description {descriptionofthealert}
    
  4. You can view all the log alerts in a resource group using the following command:
    az monitor scheduled-query list -g {ResourceGroup}
    
  5. You can see the details of a particular log alert rule using the name or the resource ID of the rule:
    az monitor scheduled-query show -g {ResourceGroup} -n {AlertRuleName}
    
    az monitor scheduled-query show --ids {RuleResourceId}
    
  6. You can disable a log alert rule using the following command:
    az monitor scheduled-query update -g {ResourceGroup} -n {AlertRuleName} --disabled false
    
  7. You can delete a log alert rule using the following command:
    az monitor scheduled-query delete -g {ResourceGroup} -n {AlertRuleName}
    

You can also use Azure Resource Manager CLI with templates files:

az login
az deployment group create \
    --name AlertDeployment \
    --resource-group ResourceGroupofTargetResource \
    --template-file mylogalerttemplate.json \
    --parameters @mylogalerttemplate.parameters.json

On success for creation, 201 is returned. On success for update, 200 is returned.

Next steps