question

Cataster-7485 avatar image
0 Votes"
Cataster-7485 asked KalyanChanumolu-MSFT commented

Configure a VM to feed its Event Logs into App Insights or the Data Lake?

We want to add Azure cloud compute audit logs to Data Lake. For Virtual Machines, these would be Event Logs, and includes one time historical and ongoing. We want to do this for auditing purposes. Is there an option we can enable for this? We are trying to avoid having to feed this data manually extracting and then loading the data ourselves. So if there is an option in place that would be ideal!!

I looked into the possibility of ETW Events but isnt that just useful at the application level and not the VM level?

Ive also looked at this thread and there was a comment referring to an alternative solution called "Log Analytics" from Azure but clicking the link leads to an unknown page


azure-virtual-machinesazure-monitorazure-data-lake-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KalyanChanumolu-MSFT avatar image
0 Votes"
KalyanChanumolu-MSFT answered KalyanChanumolu-MSFT commented

@Cataster-7485 Thank you for reaching out.

If you need to ingest event logs into Azure Data Lake, you will need to build an ingestion pipeline that will extract and load data.

However, if the requirement is to hold this data for auditing purposes, Azure Monitor offers a cheaper and scalable option.
You can persist the event and activity logs (you can choose the retention period) not just for Virtual machines but for many other Azure services that you may provision in future.

Please refer to this document to understand more.
Monitor virtual machines with Azure Monitor

Log Analytics is a feature within Azure Monitor that lets you query the metrics and logs just like you would from Azure DataLake and lets you build reports and dashboards.

Read more here
Overview of Log Analytics in Azure Monitor

Please let us know if you have any further questions.


If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KalyanChanumolu-MSFT
Thanks kalyan. I checked out the links and it seems I would have to write kusto queries in Log Analytics to get the event logs right? What would the query look like?

0 Votes 0 ·

@cataster-7485 You are right.

Kusto queries are intuitive and easy to build.
Here is an example

 'Event
 | where TimeGenerated > ago(30m)
 | where EventLevelName == "Error"
 | extend timeAgo = now() - TimeGenerated
 | extend timeAgoMinutes = timeAgo/1m

We have a lot of samples available already, so you won't have any trouble building the queries you want.
Samples for Kusto Queries

Read more about the language here
Kusto query overview


If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

0 Votes 0 ·