Create Azure Monitor log alert rules and manage alert instances

This article shows you how to create log alert rules and manage your alert instances. Azure Monitor log alerts allow users to use a Log Analytics query to evaluate resource logs at a set frequency and fire an alert based on the results. Rules can trigger one or more actions using alert processing rules and action groups. Learn the concepts behind log alerts here.

You create an alert rule by combining:

• The resource(s) to be monitored.
• The signal or telemetry from the resource
• Conditions

And then defining these elements of the triggered alert:

• Alert processing rules
• Action groups

You can also create log alert rules using Azure Resource Manager templates.

Create a new log alert rule in the Azure portal

1. In the portal, select the relevant resource. We recommend monitoring at scale by using a subscription or resource group.

2. In the Resource menu, select Logs.

3. Write a query that will find the log events for which you want to create an alert. You can use the alert query examples article to understand what you can discover or get started on writing your own query. Also, learn how to create optimized alert queries.

4. From the top command bar, Select + New Alert rule.

   

5. The Condition tab opens, populated with your log query.

   By default, the rule counts the number of results in the last 5 minutes.

   If the system detects summarized query results, the rule is automatically updated with that information.

   

6. In the Measurement section, select values for these fields:

   Field	Description
   Measure	Log alerts can measure two different things, which can be used for different monitoring scenarios: Table rows: The number of rows returned can be used to work with events such as Windows event logs, syslog, application exceptions. Calculation of a numeric column: Calculations based on any numeric column can be used to include any number of resources. For example, CPU percentage.
   Aggregation type	The calculation performed on multiple records to aggregate them to one numeric value using the aggregation granularity. For example: Total, Average, Minimum, or Maximum.
   Aggregation granularity	The interval for aggregating multiple records to one numeric value.

   

7. (Optional) In the Split by dimensions section, you can create resource-centric alerts at scale for a subscription or resource group. Splitting by dimensions groups combinations of numerical or string columns to monitor for the same condition on multiple Azure resources.

   If you select more than one dimension value, each time series that results from the combination triggers its own alert and is charged separately. The alert payload includes the combination that triggered the alert.

   You can select up to six more splittings for any number or text columns types.

   You can also decide not to split when you want a condition applied to multiple resources in the scope. For example, if you want to fire an alert if at least five machines in the resource group scope have CPU usage over 80%.

   Select values for these fields:

   Field	Description
   Dimension name	Dimensions can be either number or string columns. Dimensions are used to monitor specific time series and provide context to a fired alert. Splitting on the Azure Resource ID column makes the specified resource into the alert target. If a Resource ID column is detected, it is selected automatically and changes the context of the fired alert to the record's resource.
   Operator	The operator used on the dimension name and value.
   Dimension values	The dimension values are based on data from the last 48 hours. Select Add custom value to add custom dimension values.

   

8. In the Alert logic section, select values for these fields:

   Field	Description
   Operator	The query results are transformed into a number. In this field, select the operator to use to compare the number against the threshold.
   Threshold value	A number value for the threshold.
   Frequency of evaluation	The interval in which the query is run. Can be set from a minute to a day.

   

9. (Optional) In the Advanced options section, you can specify the number of failures and the alert evaluation period required to trigger an alert. For example, if you set the Aggregation granularity to 5 minutes, you can specify that you only want to trigger an alert if there were three failures (15 minutes) in the last hour. This setting is defined by your application business policy.

   Select values for these fields under Number of violations to trigger the alert:

   Field	Description
   Number of violations	The number of violations that have to occur to trigger the alert.
   Evaluation period	The amount of time within which those violations have to occur.
   Override query time range	Enter a value in this field if the alert evaluation period is different than the query time range. The alert time range is limited to a maximum of two days. Even if the query contains an ago command with a time range of longer than 2 days, the 2 day maximum time range is applied. For example, even if the query text contains ago(7d), the query only scans up to 2 days of data. If the query requires more data than the alert evaluation, and there is no ago command in the query, you can change the time range manually.

   

10. The Preview chart shows query evaluations results over time. You can change the chart period or select different time series that resulted from unique alert splitting by dimensions.

    

11. From this point on, you can select the Review + create button at any time.

12. In the Actions tab, select or create the required action groups.

    

13. In the Details tab, define the Project details and the Alert rule details.

14. (Optional) In the Advanced options section, you can set several options, including whether to Enable upon creation, or to Mute actions for a period of time after the alert rule fires.

    

    Note

    If you, or your administrator assigned the Azure Policy Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys, you must select Check workspace linked storage option in Advanced options, or the rule creation will fail as it will not meet the policy requirements.

15. In the Tags tab, set any required tags on the alert rule resource.

    

16. In the Review + create tab, a validation will run and inform you of any issues.

17. When validation passes and you have reviewed the settings, select the Create button.

    

Note

This section above describes creating alert rules using the new alert rule wizard. The new alert rule experience is a little different than the old experience. Please note these changes:

• Previously, search results were included in the payloads of the triggered alert and its associated notifications. This was a limited solution, since the email included only 10 rows from the unfiltered results while the webhook payload contained 1000 unfiltered results. To get detailed context information about the alert so that you can decide on the appropriate action :
  • We recommend using Dimensions. Dimensions provide the column value that fired the alert, giving you context for why the alert fired and how to fix the issue.
  • When you need to investigate in the logs, use the link in the alert to the search results in Logs.
  • If you need the raw search results or for any other advanced customizations, use Logic Apps.
• The new alert rule wizard does not support customization of the JSON payload.
  • Use custom properties in the new API to add static parameters and associated values to the webhook actions triggered by the alert.
  • For more advanced customizations, use Logic Apps.
• The new alert rule wizard does not support customization of the email subject.
  • Customers often use the custom email subject to indicate the resource on which the alert fired, instead of using the Log Analytics workspace. Use the new API to trigger an alert of the desired resource using the resource id column.
  • For more advanced customizations, use Logic Apps.

Enable recommended out-of-the-box alert rules in the Azure portal (preview)

Note

The alert rule recommendations feature is currently in preview and is only enabled for VMs.

If you don't have alert rules defined for the selected resource, either individually or as part of a resource group or subscription, you can enable our recommended out-of-the-box alert rules.

The system compiles a list of recommended alert rules based on:

• The resource provider’s knowledge of important signals and thresholds for monitoring the resource.
• Telemetry that tells us what customers commonly alert on for this resource.

To enable recommended alert rules:

1. On the Alerts page, select Enable recommended alert rules. The Enable recommended alert rules pane opens with a list of recommended alert rules based on your type of resource.
2. In the Alert me if section, select all of the rules you want to enable. The rules are populated with the default values for the rule condition, such as the percentage of CPU usage that you want to trigger an alert. You can change the default values if you would like.
3. In the Notify me by section, select the way you want to be notified if an alert is fired.
4. Select Enable.

Manage alert rules in the Alerts portal

Note

This section describes how to manage alert rules created in the latest UI or using an API version later than 2018-04-16. See View and manage alert rules created in previous versions for information about how to view and manage alert rules created in the previous UI.

1. In the portal, select the relevant resource.
2. Under Monitoring, select Alerts.
3. From the top command bar, select Alert rules.
4. Select the alert rule that you want to edit.
5. Edit any fields necessary, then select Save on the top command bar.

Manage log alerts using CLI

This section describes how to manage log alerts using the cross-platform Azure CLI. Quickest way to start using Azure CLI is through Azure Cloud Shell. For this article, we'll use Cloud Shell.

Note

Azure CLI support is only available for the scheduledQueryRules API version 2021-08-01 and later. Previous API versions can use the Azure Resource Manager CLI with templates as described below. If you use the legacy Log Analytics Alert API, you will need to switch to use CLI. Learn more about switching.

1. In the portal, select Cloud Shell.
2. At the prompt, you can use commands with --help option to learn more about the command and how to use it. For example, the following command shows you the list of commands available for creating, viewing, and managing log alerts:

   az monitor scheduled-query --help
   

3. You can create a log alert rule that monitors count of system event errors:

   az monitor scheduled-query create -g {ResourceGroup} -n {nameofthealert} --scopes {vm_id} --condition "count \'union Event, Syslog | where TimeGenerated > ago(1h) | where EventLevelName == \"Error\" or SeverityLevel== \"err\"\' > 2" --description {descriptionofthealert}
   

4. You can view all the log alerts in a resource group using the following command:

   az monitor scheduled-query list -g {ResourceGroup}
   

5. You can see the details of a particular log alert rule using the name or the resource ID of the rule:

   az monitor scheduled-query show -g {ResourceGroup} -n {AlertRuleName}
   

   az monitor scheduled-query show --ids {RuleResourceId}
   

6. You can disable a log alert rule using the following command:

   az monitor scheduled-query update -g {ResourceGroup} -n {AlertRuleName} --disabled false
   

7. You can delete a log alert rule using the following command:

   az monitor scheduled-query delete -g {ResourceGroup} -n {AlertRuleName}
   

You can also use Azure Resource Manager CLI with templates files:

az login
az deployment group create \
    --name AlertDeployment \
    --resource-group ResourceGroupofTargetResource \
    --template-file mylogalerttemplate.json \
    --parameters @mylogalerttemplate.parameters.json

On success for creation, 201 is returned. On success for update, 200 is returned.

Next steps

• Learn about Log alerts.
• Create log alerts using Azure Resource Manager Templates.
• Understand webhook actions for log alerts.
• Learn more about log queries.