Collect data from Azure diagnostics extension to Azure Monitor Logs

Azure diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system of Azure compute resources including virtual machines. This article describes how to collect data collected by the diagnostics extension from Azure Storage to Azure Monitor Logs.

Note

The Log Analytics agent in Azure Monitor is typically the preferred method to collect data from the guest operating system into Azure Monitor Logs. See Overview of the Azure Monitor agents for a detailed comparison of the agents.

Supported data types

Azure diagnostics extension stores data in an Azure Storage account. For Azure Monitor Logs to collect this data, it must be in the following locations:

Log Type Resource Type Location
IIS logs Virtual Machines
Web roles
Worker roles
wad-iis-logfiles (Blob Storage)
Syslog Virtual Machines LinuxsyslogVer2v0 (Table Storage)
Service Fabric Operational Events Service Fabric nodes WADServiceFabricSystemEventTable
Service Fabric Reliable Actor Events Service Fabric nodes WADServiceFabricReliableActorEventTable
Service Fabric Reliable Service Events Service Fabric nodes WADServiceFabricReliableServiceEventTable
Windows Event logs Service Fabric nodes
Virtual Machines
Web roles
Worker roles
WADWindowsEventLogsTable (Table Storage)
Windows ETW logs Service Fabric nodes
Virtual Machines
Web roles
Worker roles
WADETWEventTable (Table Storage)

Data types not supported

  • Performance data from the guest operating system
  • IIS logs from Azure websites

Enable Azure diagnostics extension

See Install and configure Windows Azure diagnostics extension (WAD) or Use Linux Diagnostic Extension to monitor metrics and logs for details on installing and configuring the diagnostics extension. This will alow you to specify the storage account and to configure collection of the data that you want to forward to Azure Monitor Logs.

Collect logs from Azure Storage

Use the following procedure to enable collection of diagnostics extension data from an Azure Storage account:

  1. In the Azure portal, go to Log Analytics Workspaces and select your workspace.
  2. Click Storage accounts logs in the Workspace Data Sources section of the menu.
  3. Click Add.
  4. Select the Storage account that contains the data to collect.
  5. Select the Data Type you want to collect.
  6. The value for Source is automatically populated based on the data type.
  7. Click OK to save the configuration.
  8. Repeat for additional data types.

In approximately 30 minutes, you are able to see data from the storage account in the Log Analytics workspace. You will only see data that is written to storage after the configuration is applied. The workspace does not read the pre-existing data from the storage account.

Note

The portal does not validate that the source exists in the storage account or if new data is being written.

Next steps