What is Log Analytics?

Log Analytics is a service in Operations Management Suite (OMS) that monitors your cloud and on-premises environments to maintain their availability and performance. It collects data generated by resources in your cloud and on-premises environments and from other monitoring tools to provide analysis across multiple sources. This article provides a brief discussion of the value that Log Analytics provides, an overview of how it operates, and links to more detailed content so you can dig further.

Is Log Analytics for you?

If you have no current monitoring in place for your Azure environment, you should start with Azure Monitor which collects and analyzes monitoring data for your Azure resources. Log Analytics can collect data from Azure Monitor to correlate it with other data and provide additional analysis.

If you want to monitor your on-premises environment or you have existing monitoring using services such as Azure Monitor or System Center Operations Manager, then Log Analytics can add significant value. It can collect data directly from your agents and also from these other tools into a single repository. Analysis tools in Log Analytics such as log searches, views, and solutions work against all collected data providing you with centralized analysis of your entire environment.

Using Log Analytics

You can access Log Analytics through the OMS portal or the Azure portal which run in any browser and provide you with access to configuration settings and multiple tools to analyze and act on collected data. From the portal you can leverage log searches where you construct queries to analyze collected data, dashboards which you can customize with graphical views of your most valuable searches, and solutions which provide additional functionality and analysis tools.

The image below is from the OMS portal which shows the dashboard that displays summary information for the solutions that are installed in the workspace. You can click on any tile to drill further into the data for that solution.

OMS portal

Log Analytics includes a query language to quickly retrieve and consolidate data in the repository. You can create and save Log Searches to directly analyze data in the portal or have log searches run automatically to create an alert if the results of the query indicate an important condition.

Log search

To get a quick graphical view of the health of your overall environment, you can add visualizations for saved log searches to your dashboard.

Dashboard

In order to analyze data outside of Log Analytics, you can export the data from the OMS repository into tools such as Power BI or Excel. You can also leverage the Log Search API to build custom solutions that leverage Log Analytics data or to integrate with other systems.

Add functionality with management solutions

Management solutions add functionality to OMS, providing additional data and analysis tools to Log Analytics. They may also define new record types to be collected that can be analyzed with Log Searches or by additional user interface provided by the solution in the dashboard. The example image below shows the Change Tracking solution

Change Tracking solution

Solutions are available for a variety of functions, and additional solutions are consistently being added. You can easily browse available solutions and add them to your OMS workspace from the Solutions Gallery or Azure Marketplace. Many will be automatically deployed and start working immediately while others may require moderate configuration.

Solution Gallery

Log Analytics components

At the center of Log Analytics is the OMS repository which is hosted in the Azure cloud. Data is collected into the repository from connected sources by configuring data sources and adding solutions to your subscription. Data sources and solutions will each create different record types that have their own set of properties but may still be analyzed together in queries to the repository. This allows you to use the same tools and methods to work with different kinds of data collected by different sources.

OMS repository

Connected sources are the computers and other resources that generate data collected by Log Analytics. This can include agents installed on Windows and Linux computers that connect directly or agents in a connected System Center Operations Manager management group. For Azure resources, Log Analytics collects data from Azure Monitor and Azure Diagnostics.

Data sources are the different kinds of data collected from each connected source. This includes events and performance data from Windows and Linux agents in addition to sources such as IIS logs, and custom text logs. You configure each data source that you want to collect, and the configuration is automatically delivered to each connected source.

If you have custom requirements, then you can use the HTTP Data Collector API to write data to the repository from a REST API client.

Log Analytics architecture

The deployment requirements of Log Analytics are minimal since the central components are hosted in the Azure cloud. This includes the repository in addition to the services that allow you to correlate and analyze collected data. The portal can be accessed from any browser so there is no requirement for client software.

You must install agents on Windows and Linux computers, but there is no additional agent required for computers that are already members of a connected SCOM management group. SCOM agents will continue to communicate with management servers which will forward their data to Log Analytics. Some solutions though will require agents to communicate directly with Log Analytics. The documentation for each solution will specify its communication requirements.

When you sign up for Log Analytics, you will create an OMS workspace. You can think of the workspace as a unique Log Analytics environment with its own data repository, data sources, and solutions. You may create multiple workspaces in your subscription to support multiple environments such as production and test.

Log Analytics architecture

Next steps