question

JacobMathews-8592 avatar image
0 Votes"
JacobMathews-8592 asked tbgangav-MSFT answered

No new results in Log Analytics

Dear Team,

While we try to integrate Microsoft Azure log anlytics, the following is the response i am getting.

---------


03/18/2021 09:41:49 AM INFO: AZURE Azure Log Analytics starting.
03/18/2021 09:41:49 AM INFO: AZURE Log Analytics: Getting authentication token.
03/18/2021 09:41:49 AM DEBUG: AZURE Starting new HTTPS connection (1): login.microsoftonline.com:443
03/18/2021 09:41:50 AM DEBUG: AZURE https://login.microsoftonline.com:443 "POST /xxxxx.onmicrosoft.com/oauth2/token?api-version=1.0 HTTP/1.1" 200 1445
03/18/2021 09:41:50 AM INFO: AZURE Log Analytics: Sending a request to the Log Analytics API.
03/18/2021 09:41:50 AM INFO: AZURE Log Analytics: The search starts from the date: 0 for query: 'AzureActivity'
03/18/2021 09:41:50 AM DEBUG: AZURE Starting new HTTPS connection (1): api.loganalytics.io:443
03/18/2021 09:41:51 AM DEBUG: AZURE https://api.loganalytics.io:443 "GET /v1/workspaces/xxxxx-xxxx-xxx-xxxx-xxxxx/query?query=+AzureActivity+%7C+order+by+TimeGenerated+asc+%7C+where+TimeGenerated+%3E+datetime%280%29+ HTTP/1.1" 200 None
03/18/2021 09:41:51 AM INFO: AZURE Log Analytics: There are no new results
03/18/2021 09:41:51 AM INFO: AZURE Azure Log Analytics ending.

----------


As u can see, the highlighted log says there are no new results. thus no logs are shown in our siem.

Can someone guide me how to clear or resolve this issue,and receive logs.



azure-monitorazure-ad-audit-logs
· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tbgangav-MSFT avatar image tbgangav-MSFT ·

Hi @JacobMathews-8592,

Based on the log provided, looks like you are trying to query AzureActivity table from Log Analytics Workspace (LAW) but output it gives is no new results. One observation is, it is INFO but not ERROR log level so I assume that you have already configured sending activity logs to LAW in either of two ways i.e., via Activity logs diagnostics settings or via legacy method.

  • If yes, I would recommend to check by manually querying AzureActivity table from logs tile of LAW and see if you get the output.

  • If no, I would recommend to configure sending activity logs to LAW as mentioned above and then manually query AzureActivity table from logs tile of LAW and see if you get the output.

0 Votes 0 ·
tbgangav-MSFT avatar image tbgangav-MSFT ·

On the other hand, if you can provide more context or your exact use case then it would be helpful to answer or diagnose and troubleshoot the issue in a better way.

In that regards, below are few questions:

  • When you say "thus no logs are shown in our siem", did you configure sending logs from LAW to some siem? If yes, what are the high level steps that have followed to do it?

  • When you say "integrate Microsoft Azure log analytics", what do you mean by integrate? Did you integrate LAW with some other Azure resouce? If yes, more information would be helpful.

  • Based on the log format, I believe its from a log file. If yes, what is the location of the log file.


0 Votes 0 ·
tbgangav-MSFT avatar image tbgangav-MSFT ·

Hi @JacobMathews-8592,

Did you get chance to review my earlier response? Let me know if you have any further queries regarding it.

0 Votes 0 ·
JacobMathews-8592 avatar image JacobMathews-8592 tbgangav-MSFT ·

hai @tbgangav-MSFT ,

Thanks for the support. we are receiving data from log analytics.now it is working fine.if u can help me with my other query regarding microsoft graph it would be helpful

0 Votes 0 ·
tbgangav-MSFT avatar image tbgangav-MSFT JacobMathews-8592 ·

Hi @JacobMathews-8592,

I assume that you meant about this question. If that's the case, I am not an SME in Microsoft Graph. In general, based on the tags that are added to a question, respective service SME's would respond at the earliest possible and the good thing is, I see that you have added the related tag to the question. :)


0 Votes 0 ·

1 Answer

tbgangav-MSFT avatar image
0 Votes"
tbgangav-MSFT answered

<<Resurfacing the information shared as comment, so it helps the broader community users.>>

Based on the log provided, looks like you are trying to query AzureActivity table from Log Analytics Workspace (LAW) but output it gives is no new results. One observation is, it is INFO but not ERROR log level so I assume that you have already configured sending activity logs to LAW in either of two ways i.e., via Activity logs diagnostics settings or via legacy method.

  • If yes, I would recommend to check by manually querying AzureActivity table from logs tile of LAW and see if you get the output.

  • If no, I would recommend to configure sending activity logs to LAW as mentioned above and then manually query AzureActivity table from logs tile of LAW and see if you get the output.

On the other hand, if you can provide more context or your exact use case then it would be helpful to answer or diagnose and troubleshoot the issue in a better way.

In that regards, below are few questions:

  • When you say "thus no logs are shown in our siem", did you configure sending logs from LAW to some siem? If yes, what are the high level steps that have followed to do it?

  • When you say "integrate Microsoft Azure log analytics", what do you mean by integrate? Did you integrate LAW with some other Azure resouce? If yes, more information would be helpful.

  • Based on the log format, I believe its from a log file. If yes, what is the location of the log file.


Glad to know that now you are receiving data from log analytics and it is working fine now.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.