Create, view, and manage log alerts using Azure Monitor

This article shows you how to create and manage log alerts. Azure Monitor log alerts allow users to use a Log Analytics query to evaluate resource logs at a set frequency and fire an alert based on the results. Rules can trigger one or more actions using Action Groups. Learn more about functionality and terminology of log alerts.

Alert rules are defined by three components:

Create a new log alert rule in the Azure portal

Note

This article describes creating alert rules using the new alert rule wizard. The new alert rule experience is a little different than the old experience. Please note these changes:

  • Previously, search results were included in the payloads of the triggered alert and its associated notifications. This was a limited and error prone solution. To get detailed context information about the alert so that you can decide on the appropriate action :
    • The recommended best practice it to use Dimensions. Dimensions provide the column value that fired the alert, giving you context for why the alert fired and how to fix the issue.
    • When you need to investigate in the logs, use the link in the alert to the search results in Logs.
    • If you need the raw search results or for any other advanced customizations, use Logic Apps.
  • The new alert rule wizard does not support customization of the JSON payload.
    • Use custom properties in the new API to add static parameters and associated values to the webhook actions triggered by the alert.
    • For more advanced customizations, use Logic Apps.
  • The new alert rule wizard does not support customization of the email subject.
    • Customers often use the custom email subject to indicate the resource on which the alert fired, instead of using the Log Analytics workspace. Use the new API to trigger an alert of the desired resource using the resource id column.
    • For more advanced customizations, use Logic Apps.
  1. In the portal, select the relevant resource. We recommend monitoring at scale by using a subscription or resource group for the alert rule.

  2. In the Resource menu, select Logs.

  3. Write a query that will find the log events for which you want to create an alert. You can use the alert query examples article to understand what you can discover or get started on writing your own query. Also, learn how to create optimized alert queries.

  4. From the top command bar, Select + New Alert rule.

    Create new alert rule.

  5. The Condition tab opens, populated with your log query.

    Conditions Tab.

  6. In the Measurement section, select values for the Measure, Aggregation type, and Aggregation granularity fields.

    • By default, the rule counts the number of results in the last 5 minutes.
    • If the system detects summarized query results, the rule is automatically updated to capture that.

    Measurements.

  7. (Optional) In the Split by dimensions section, select alert splitting by dimensions:

    • If detected, The Resource ID column is selected automatically and changes the context of the fired alert to the record's resource.
    • Clear the Resource ID column to fire alerts on multiple resources in subscriptions or resource groups. For example, you can create a query that checks if 80% of the resource group's virtual machines are experiencing high CPU usage.
    • You can use the dimensions table to select up to six more splittings for any number or text columns types.
    • Alerts are fired individually for each unique splitting combination. The alert payload includes the combination that triggered the alert.
  8. In the Alert logic section, set the Alert logic: Operator, Threshold Value, and Frequency.

    Preview alert rule parameters.

  9. (Optional) In the Advanced options section, set the Number of violations to trigger the alert.

    Advanced options.

  10. The Preview chart shows query evaluations results over time. You can change the chart period or select different time series that resulted from unique alert splitting by dimensions.

    Alert rule preview.

  11. From this point on, you can select the Review + create button at any time.

  12. In the Actions tab, select or create the required action groups.

    Actions tab.

  13. In the Details tab, define the Project details and the Alert rule details.

  14. (Optional) In the Advanced options section, you can set several options, including whether to Enable upon creation, or to Mute actions for a period after the alert rule fires.

    Details tab.

Note

If you, or your administrator assigned the Azure Policy Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys, you must select Check workspace linked storage option in Advanced options, or the rule creation will fail as it will not meet the policy requirements.

  1. In the Tags tab, set any required tags on the alert rule resource.

    Tags tab.

  2. In the Review + create tab, a validation will run and inform you of any issues.

  3. When validation passes and you have reviewed the settings, select the Create button.

    Review and create tab.

Note

The alert rule recommendations feature is currently in preview and is only enabled for VMs.

If you don't have alert rules defined for the selected resource, either individually or as part of a resource group or subscription, you can enable our recommended out-of-the-box alert rules.

Screenshot of alerts page with link to recommended alert rules.

The system compiles a list of recommended alert rules based on:

  • The resource provider’s knowledge of important signals and thresholds for monitoring the resource.
  • Telemetry that tells us what customers commonly alert on for this resource.

To enable recommended alert rules:

  1. On the Alerts page, select Enable recommended alert rules. The Enable recommended alert rules pane opens with a list of recommended alert rules based on your type of resource.
  2. In the Alert me if section, select all of the rules you want to enable. The rules are populated with the default values for the rule condition, such as the percentage of CPU usage that you want to trigger an alert. You can change the default values if you would like.
  3. In the Notify me by section, select the way you want to be notified if an alert is fired.
  4. Select Enable.

Screenshot of recommended alert rules pane.

Manage alert rules in the Alerts portal

Note

This section describes how to manage alert rules created in the latest UI or using an API version later than 2018-04-16. See View and manage alert rules created in previous versions for information about how to view and manage alert rules created in the previous UI.

  1. In the portal, select the relevant resource.
  2. Under Monitoring, select Alerts.
  3. From the top command bar, select Alert rules.
  4. Select the alert rule that you want to edit.
  5. Edit any fields necessary, then select Save on the top command bar.

Manage log alerts using CLI

This section describes how to manage log alerts using the cross-platform Azure CLI. Quickest way to start using Azure CLI is through Azure Cloud Shell. For this article, we'll use Cloud Shell.

Note

Azure CLI support is only available for the scheduledQueryRules API version 2021-08-01 and later. Previous API versions can use the Azure Resource Manager CLI with templates as described below. If you use the legacy Log Analytics Alert API, you will need to switch to use CLI. Learn more about switching.

  1. In the portal, select Cloud Shell.
  2. At the prompt, you can use commands with --help option to learn more about the command and how to use it. For example, the following command shows you the list of commands available for creating, viewing, and managing log alerts:
    az monitor scheduled-query --help
    
  3. You can create a log alert rule that monitors count of system event errors:
    az monitor scheduled-query create -g {ResourceGroup} -n {nameofthealert} --scopes {vm_id} --condition "count \'union Event, Syslog | where TimeGenerated > ago(1h) | where EventLevelName == \"Error\" or SeverityLevel== \"err\"\' > 2" --description {descriptionofthealert}
    
  4. You can view all the log alerts in a resource group using the following command:
    az monitor scheduled-query list -g {ResourceGroup}
    
  5. You can see the details of a particular log alert rule using the name or the resource ID of the rule:
    az monitor scheduled-query show -g {ResourceGroup} -n {AlertRuleName}
    
    az monitor scheduled-query show --ids {RuleResourceId}
    
  6. You can disable a log alert rule using the following command:
    az monitor scheduled-query update -g {ResourceGroup} -n {AlertRuleName} --disabled false
    
  7. You can delete a log alert rule using the following command:
    az monitor scheduled-query delete -g {ResourceGroup} -n {AlertRuleName}
    

You can also use Azure Resource Manager CLI with templates files:

az login
az deployment group create \
    --name AlertDeployment \
    --resource-group ResourceGroupofTargetResource \
    --template-file mylogalerttemplate.json \
    --parameters @mylogalerttemplate.parameters.json

On success for creation, 201 is returned. On success for update, 200 is returned.

Next steps