Azure Monitor logs for public Basic Load Balancer

Important

Azure Load Balancer supports two different types: Basic and Standard. This article discusses Basic Load Balancer. For more information about Standard Load Balancer, see Standard Load Balancer overview which exposes telemetry via multi-dimensional metrics in Azure Monitor.

You can use different types of logs in Azure to manage and troubleshoot Basic Load Balancers. Some of these logs can be accessed through the portal. Logs can be streamed to an event hub or a Log Analytics workspace. All logs can be extracted from Azure blob storage, and viewed in different tools, such as Excel and Power BI. You can learn more about the different types of logs from the list below.

  • Activity logs: You can use View activity logs to monitor actions on resources to view all activity being submitted to your Azure subscription(s), and their status. Activity logs are enabled by default, and can be viewed in the Azure portal.
  • Alert event logs: You can use this log to view alerts raised by the load balancer. The status for the load balancer is collected every five minutes. This log is only written if a load balancer alert event is raised.
  • Health probe logs: You can use this log to view problems detected by your health probe, such as the number of instances in your backend-pool that are not receiving requests from the load balancer because of health probe failures. This log is written to when there is a change in the health probe status.

Important

Azure Monitor logs currently works only for public Basic load balancers. Logs are only available for resources deployed in the Resource Manager deployment model. You cannot use logs for resources in the classic deployment model. For more information about the deployment models, see Understanding Resource Manager deployment and classic deployment.

Enable logging

Activity logging is automatically enabled for every Resource Manager resource. Enable event and health probe logging to start collecting the data available through those logs. Use the following steps to enable logging.

Sign in to the Azure portal. If you don't already have a load balancer, create a load balancer before you continue.

  1. In the portal, click Resource groups.

  2. Select <resource-group-name> where your load balancer is.

  3. Select your load balancer.

  4. Select Monitoring > Diagnostic settings.

  5. In the Diagnostics settings pane, under Diagnostics settings, select + Add diagnostic setting.

  6. In the Diagnostics settings creation pane, enter myLBDiagnostics in the Name field.

  7. You have three options for the Diagnostics settings. You can choose one, two or all three and configure each for your requirements:

    • Archive to a storage account
    • Stream to an event hub
    • Send to Log Analytics

    Archive to a storage account

    You'll need a storage account already created for this process. To create a storage account, see Create a storage account

    1. Select the checkbox next to Archive to a storage account.
    2. Select Configure to open the Select a storage account pane.
    3. Select the Subscription where your storage account was created in the pull-down box.
    4. Select the name of your storage account under Storage account in the pull-down box.
    5. Select OK.

    Stream to an event hub

    You'll need an event hub already created for this process. To create an event hub, see Quickstart: Create an event hub using Azure portal

    1. Select the checkbox next to Stream to an event hub
    2. Select Configure to open the Select event hub pane.
    3. Select the Subscription where your event hub was created in the pull-down box.
    4. Select event hub namespace in the pull-down box.
    5. Select event hub policy name in the pull-down box.
    6. Select OK.

    Send to Log Analytics

    You'll need to already have a log analytics workspace created and configured for this process. To create a Log Analytics workspace, see Create a Log Analytics workspace in the Azure portal

    1. Select the checkbox next to Send to Log Analytics.
    2. Select the Subscription where your Log Analytics workspace is in the pull-down box.
    3. Select the Log Analytics Workspace in the pull-down box.
  8. Beneath the LOG section in the Diagnostics settings pane, select the check box next to both:

    • LoadBalancerAlertEvent
    • LoadBalancerProbeHealthStatus
  9. Beneath the METRIC section in the Diagnostics settings pane, select the check box next to:

  • AllMetrics
  1. Verify everything looks correct and click Save at the top of the create Diagnostic settings pane.

Activity log

The activity log is generated by default. The logs are preserved for 90 days in Azure's Event Logs store. Learn more about these logs by reading the View activity logs to monitor actions on resources article.

Archive to storage account logs

Alert event log

This log is only generated if you've enabled it on a per load balancer basis. The events are logged in JSON format and stored in the storage account you specified when you enabled the logging. The following example is of an event.

{
    "time": "2016-01-26T10:37:46.6024215Z",
    "systemId": "32077926-b9c4-42fb-94c1-762e528b5b27",
    "category": "LoadBalancerAlertEvent",
    "resourceId": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXX-XXXX-XXXX-XXXXXXXXX/RESOURCEGROUPS/RG7/PROVIDERS/MICROSOFT.NETWORK/LOADBALANCERS/WWEBLB",
    "operationName": "LoadBalancerProbeHealthStatus",
    "properties": {
        "eventName": "Resource Limits Hit",
        "eventDescription": "Ports exhausted",
        "eventProperties": {
            "public ip address": "40.117.227.32"
        }
    }
}

The JSON output shows the eventname property, which will describe the reason for the load balancer created an alert. In this case, the alert generated was because of TCP port exhaustion caused by source IP NAT limits (SNAT).

Health probe log

This log is only generated if you've enabled it on a per load balancer basis as detailed above. The data is stored in the storage account you specified when you enabled the logging. A container named 'insights-logs-loadbalancerprobehealthstatus' is created and the following data is logged:

{
    "records":[
    {
        "time": "2016-01-26T10:37:46.6024215Z",
        "systemId": "32077926-b9c4-42fb-94c1-762e528b5b27",
        "category": "LoadBalancerProbeHealthStatus",
        "resourceId": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX/RESOURCEGROUPS/RG7/PROVIDERS/MICROSOFT.NETWORK/LOADBALANCERS/WWEBLB",
        "operationName": "LoadBalancerProbeHealthStatus",
        "properties": {
            "publicIpAddress": "40.83.190.158",
            "port": "81",
            "totalDipCount": 2,
            "dipDownCount": 1,
            "healthPercentage": 50.000000
        }
    },
    {
        "time": "2016-01-26T10:37:46.6024215Z",
        "systemId": "32077926-b9c4-42fb-94c1-762e528b5b27",
        "category": "LoadBalancerProbeHealthStatus",
        "resourceId": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX/RESOURCEGROUPS/RG7/PROVIDERS/MICROSOFT.NETWORK/LOADBALANCERS/WWEBLB",
        "operationName": "LoadBalancerProbeHealthStatus",
        "properties": {
            "publicIpAddress": "40.83.190.158",
            "port": "81",
            "totalDipCount": 2,
            "dipDownCount": 0,
            "healthPercentage": 100.000000
        }
    }]
}

The JSON output shows in the properties field the basic information for the probe health status. The dipDownCount property shows the total number of instances on the back-end, which are not receiving network traffic because of failed probe responses.

View and analyze the audit log

You can view and analyze audit log data using any of the following methods:

  • Azure tools: Retrieve information from the audit logs through Azure PowerShell, the Azure Command Line Interface (CLI), the Azure REST API, or the Azure portal. Step-by-step instructions for each method are detailed in the Audit operations with Resource Manager article.
  • Power BI: If you don't already have a [Power BI](https:// .microsoft.com/pricing) account, you can try it for free. Using the [Azure Audit Logs content pack for Power BI](https:// .microsoft.com/documentation/ -content-pack-azure-audit-logs), you can analyze your data with pre-configured dashboards, or you can customize views to suit your requirements.

View and analyze the health probe and event log

Connect to your storage account and retrieve the JSON log entries for event and health probe logs. Once you download the JSON files, you can convert them to CSV and view in Excel, Power BI, or any other data visualization tool.

Tip

If you are familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the log converter tools available from GitHub.

Stream to an event hub

When diagnostic information is streamed to an event hub, it can be used for centralized log analysis in a third-party SIEM tool with Azure Monitor Integration. For more information, see Stream Azure monitoring data to an event hub

Send to Log Analytics

Resources in Azure can have their diagnostic information sent directly to a Log Analytics workspace where complex queries can be run against the information for troubleshooting and analysis. For more information, see Collect Azure resource logs in Log Analytics workspace in Azure Monitor

Next steps

Understand load balancer probes