Container group and instance logging with Azure Monitor logs

Log Analytics workspaces provide a centralized location for storing and querying log data not only from Azure resources, but also on-premises resources and resources in other clouds. Azure Container Instances includes built-in support for sending logs and event data to Azure Monitor logs.

To send container group log and event data to Azure Monitor logs, specify an existing Log Analytics workspace ID and workspace key when configuring a container group.

The following sections describe how to create a logging-enabled container group and how to query logs. You can also update a container group with a workspace ID and workspace key to enable logging.

Note

This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.

Note

Currently, you can only send event data from Linux container instances to Log Analytics.

Prerequisites

To enable logging in your container instances, you need the following:

Get Log Analytics credentials

Azure Container Instances needs permission to send data to your Log Analytics workspace. To grant this permission and enable logging, you must provide the Log Analytics workspace ID and one of its keys (either primary or secondary) when you create the container group.

To obtain the log analytics workspace ID and primary key:

  1. Navigate to your Log Analytics workspace in the Azure portal
  2. Under Settings, select Advanced settings
  3. Select Connected Sources > Windows Servers (or Linux Servers--the ID and keys are the same for both)
  4. Take note of:
    • WORKSPACE ID
    • PRIMARY KEY

Create container group

Now that you have the log analytics workspace ID and primary key, you're ready to create a logging-enabled container group.

The following examples demonstrate two ways to create a container group that consists of a single fluentd container: Azure CLI, and Azure CLI with a YAML template. The fluentd container produces several lines of output in its default configuration. Because this output is sent to your Log Analytics workspace, it works well for demonstrating the viewing and querying of logs.

Deploy with Azure CLI

To deploy with the Azure CLI, specify the --log-analytics-workspace and --log-analytics-workspace-key parameters in the az container create command. Replace the two workspace values with the values you obtained in the previous step (and update the resource group name) before running the following command.

az container create \
    --resource-group myResourceGroup \
    --name mycontainergroup001 \
    --image fluent/fluentd \
    --log-analytics-workspace <WORKSPACE_ID> \
    --log-analytics-workspace-key <WORKSPACE_KEY>

Deploy with YAML

Use this method if you prefer to deploy container groups with YAML. The following YAML defines a container group with a single container. Copy the YAML into a new file, then replace LOG_ANALYTICS_WORKSPACE_ID and LOG_ANALYTICS_WORKSPACE_KEY with the values you obtained in the previous step. Save the file as deploy-aci.yaml.

apiVersion: 2019-12-01
location: eastus
name: mycontainergroup001
properties:
  containers:
  - name: mycontainer001
    properties:
      environmentVariables: []
      image: fluent/fluentd
      ports: []
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
  osType: Linux
  restartPolicy: Always
  diagnostics:
    logAnalytics:
      workspaceId: LOG_ANALYTICS_WORKSPACE_ID
      workspaceKey: LOG_ANALYTICS_WORKSPACE_KEY
tags: null
type: Microsoft.ContainerInstance/containerGroups

Next, execute the following command to deploy the container group. Replace myResourceGroup with a resource group in your subscription (or first create a resource group named "myResourceGroup"):

az container create --resource-group myResourceGroup --name mycontainergroup001 --file deploy-aci.yaml

You should receive a response from Azure containing deployment details shortly after issuing the command.

View logs

After you've deployed the container group, it can take several minutes (up to 10) for the first log entries to appear in the Azure portal. To view the container group's logs in the ContainerInstanceLog_CL table:

  1. Navigate to your Log Analytics workspace in the Azure portal
  2. Under General, select Logs
  3. Type the following query: ContainerInstanceLog_CL | limit 50
  4. Select Run

You should see several results displayed by the query. If at first you don't see any results, wait a few minutes, then select the Run button to execute the query again. By default, log entries are displayed in Table format. You can then expand a row to see the contents of an individual log entry.

Log Search results in the Azure portal

View events

You can also view events for container instances in the Azure portal. Events include the time the instance is created and when it is started. To view the event data in the ContainerEvent_CL table:

  1. Navigate to your Log Analytics workspace in the Azure portal
  2. Under General, select Logs
  3. Type the following query: ContainerEvent_CL | limit 50
  4. Select Run

You should see several results displayed by the query. If at first you don't see any results, wait a few minutes, then select the Run button to execute the query again. By default, entries are displayed in Table format. You can then expand a row to see the contents of an individual entry.

Event Search results in the Azure portal

Query container logs

Azure Monitor logs includes an extensive query language for pulling information from potentially thousands of lines of log output.

The basic structure of a query is the source table (in this article, ContainerInstanceLog_CL or ContainerEvent_CL) followed by a series of operators separated by the pipe character (|). You can chain several operators to refine the results and perform advanced functions.

To see example query results, paste the following query into the query text box, and select the Run button to execute the query. This query displays all log entries whose "Message" field contains the word "warn":

ContainerInstanceLog_CL
| where Message contains "warn"

More complex queries are also supported. For example, this query displays only those log entries for the "mycontainergroup001" container group generated within the last hour:

ContainerInstanceLog_CL
| where (ContainerGroup_s == "mycontainergroup001")
| where (TimeGenerated > ago(1h))

Next steps

Azure Monitor logs

For more information about querying logs and configuring alerts in Azure Monitor logs, see:

Monitor container CPU and memory

For information about monitoring container instance CPU and memory resources, see: