Monitor Azure Container Registry
When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This article describes the monitoring data generated by Azure Container Registry and how you can use the features of Azure Monitor to analyze and alert on this data.
The Overview page in the Azure portal for each registry includes a brief view of recent resource usage and activity, such as push and pull operations. This high-level information is useful, but only a small amount of the monitoring data is shown there.
What is Azure Monitor?
Azure Container Registry creates monitoring data using Azure Monitor, which is a full stack monitoring service in Azure that provides a complete set of features to monitor your Azure resources in addition to resources in other clouds and on-premises.
Start with the article Monitoring Azure resources with Azure Monitor, which describes the following concepts:
- What is Azure Monitor?
- Costs associated with monitoring
- Monitoring data collected in Azure
- Configuring data collection
- Standard tools in Azure for analyzing and alerting on monitoring data
The following sections build on this article by describing the specific data gathered for Azure Container Registry and providing examples for configuring data collection and analyzing this data with Azure tools.
Azure Container Registry collects the same kinds of monitoring data as other Azure resources that are described in Monitoring data from Azure resources.
See Monitoring Azure Container Registry data reference for detailed information on the metrics and logs created by Azure Container Registry.
Collection and routing
Platform metrics and the Activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.
Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
See Create diagnostic setting to collect platform logs and metrics in Azure for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure Container Registry are listed in Azure Container Registry monitoring data reference.
You can also create registry diagnostic settings by navigating to your registry in the portal. In the menu, select Diagnostic settings under Monitoring.
The following image shows the options when you enable diagnostic setting for a registry.
The metrics and logs you can collect are discussed in the following sections.
Analyzing metrics (preview)
You can analyze metrics for an Azure container registry with metrics from other Azure services using metrics explorer by opening Metrics from the Azure Monitor menu. See Getting started with Azure Metrics Explorer for details on using this tool.
You can also go to the metrics explorer by navigating to your registry in the portal. In the menu, select Metrics (preview) under Monitoring.
For a list of the platform metrics collected for Azure Container Registry, see Monitoring Azure Container Registry data reference metrics
For reference, you can see a list of all resource metrics supported in Azure Monitor.
The following Azure CLI commands can be used to get information about the Azure Container Registry metrics.
- az acr show-usage - Show the current storage used by an Azure container registry
- az monitor metrics list-definitions - List metric definitions and dimensions
- az monitor metrics list - Retrieve metric values
You can use the Azure Monitor REST API to get information programmatically about the Azure Container Registry metrics.
Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties.
All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in Azure Monitor resource log schema. The schema for Azure Container Registry resource logs is found in the Azure Container Registry Data Reference.
The Activity log is a platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.
For a list of the types of resource logs collected for Azure Container Registry, see Monitoring Azure Container Registry data reference.
For a list of the tables used by Azure Monitor Logs and queryable by Log Analytics, see Monitoring Azure Container Reference data reference.
Sample Kusto queries
When you select Logs from the Azure Container Registry menu, Log Analytics is opened with the query scope set to the current registry. This means that log queries will only include data from that resource. If you want to run a query that includes data from other registries or data from other Azure services, select Logs from the Azure Monitor menu. See Log query scope and time range in Azure Monitor Log Analytics for details.
For example, the following query retrieves the most recent 24 hours of data from the ContainerRegistryRepositoryEvents table:
ContainerRegistryRepositoryEvents | where TimeGenerated > ago(1d)
The following image shows sample output:
Following are queries that you can use to help you monitor your registry resource.
Error events from the last hour
union Event, Syslog // Event table stores Windows event records, Syslog stores Linux records | where TimeGenerated > ago(1h) | where EventLevelName == "Error" // EventLevelName is used in the Event (Windows) records or SeverityLevel== "err" // SeverityLevel is used in Syslog (Linux) records
100 most recent registry events
ContainerRegistryRepositoryEvents | union ContainerRegistryLoginEvents | top 100 by TimeGenerated | project TimeGenerated, LoginServer, OperationName, Identity, Repository, DurationMs, Region , ResultType
Identity of user or object that deleted repository
ContainerRegistryRepositoryEvents | where OperationName contains "Delete" | project LoginServer, OperationName, Repository, Identity, CallerIpAddress
Identity of user or object that deleted tag
ContainerRegistryRepositoryEvents | where OperationName contains "Untag" | project LoginServer, OperationName, Repository, Tag, Identity, CallerIpAddress
Repository-level operation failures
ContainerRegistryRepositoryEvents | where ResultDescription contains "40" | project TimeGenerated, OperationName, Repository, Tag, ResultDescription
Registry authentication failures
ContainerRegistryLoginEvents | where ResultDescription != "200" | project TimeGenerated, Identity, CallerIpAddress, ResultDescription
Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on metrics, logs, and the activity log. Different types of alerts have benefits and drawbacks.
The following table lists common and recommended alert rules for Azure Container Registry.
|metric||Signal: Storage used
Operator: Greater than
Aggregation type: Average
Threshold value: 5 GB
|Alerts if the registry storage used exceeds a specified value.|
Example: Send email alert when registry storage used exceeds a value
- In the Azure portal, navigate to your registry.
- Select Metrics (preview) under Monitoring.
- In the metrics explorer, in Metric, select Storage used.
- Select New alert rule.
- In Scope, confirm the registry resource for which you want to create an alert rule.
- In Condition, select Add condition.
- In Signal name, select Storage used.
- In Chart period, select Over the last 24 hours.
- In Alert logic, in Threshold value, select a value such as 5. In Unit, select a value such as GB.
- Accept default values for the remaining settings, and select Done.
- In Actions, select Add action groups > + Create action group.
- Enter details of the action group.
- On the Notifications tab, select Email/SMS message/Push/Voice and enter a recipient such as firstname.lastname@example.org. Select Review + create.
- Enter a name and description of the alert rule, and select the severity level.
- Select Create alert rule.
- See Monitoring Azure Container Registry data reference for a reference of the metrics, logs, and other important values created by Azure Container Registry.
- See Monitoring Azure resources with Azure Monitor for details on monitoring Azure resources.