Azure Log Analytics is a service within Azure Monitor that helps you collect and analyze data generated by resources in your cloud and on-premises environments. It provides a powerful query language, Kusto Query Language (KQL), to analyze and visualize data, enabling you to gain insights and make informed decisions.

1. Log Analytics Workspace:

   • A unique environment for log data from Azure resources.
   • Contains data sources, solutions, and saved queries.
   • Acts as a container to store and manage log data.

2. Data Sources:

   • Azure Resources: Virtual machines, Azure Storage, Azure SQL Database, etc.
   • Custom Logs: Logs from custom applications or on-premises systems.
   • Diagnostic Settings: Configuration to send platform logs and metrics to Log Analytics.

3. Kusto Query Language (KQL):

   • A powerful query language used to retrieve and analyze data.
   • Similar to SQL but optimized for log and telemetry data.

4. Solutions:

   • Pre-built packages that provide insights and visualizations for specific scenarios.
   • Examples include Azure Security Center, Azure Monitor for VMs, and more.

1. Navigate to the Azure Portal.
2. Search for "Log Analytics workspaces" and select it.
3. Click on "Add" to create a new workspace.
4. Fill in the required details:
   • Subscription: Select your Azure subscription.
   • Resource Group: Choose an existing resource group or create a new one.
   • Name: Provide a unique name for the workspace.
   • Region: Select the region where you want to create the workspace.
5. Click "Review + create" and then "Create".

1. Navigate to your Log Analytics workspace.
2. Under the "Workspace Data Sources" section, select the type of data source you want to connect (e.g., Virtual Machines, Storage Accounts).
3. Follow the prompts to configure and connect the data source.

1. Go to the resource you want to monitor (e.g., a virtual machine).
2. Select "Diagnostic settings" under the Monitoring section.
3. Click "Add diagnostic setting".
4. Choose the logs and metrics you want to send to Log Analytics.
5. Select your Log Analytics workspace as the destination.
6. Click "Save".

1. Create a new Log Analytics workspace in the Azure Portal.
2. Connect a virtual machine to the workspace.
3. Configure diagnostic settings to send logs and metrics from the virtual machine to the workspace.

1. Write a KQL query to retrieve the last 20 records from the Event table.
2. Write a KQL query to filter records where the EventLevel is "Warning".
3. Write a KQL query to count the number of warning events by their source.
4. Write a KQL query to display a time chart of warning events over the last 7 days.

Solution 1: Create a Log Analytics Workspace

1. Follow the steps outlined in the "Setting Up Azure Log Analytics" section to create a workspace, connect a virtual machine, and configure diagnostic settings.

Solution 2: Write and Run KQL Queries

1. Retrieve the last 20 records from the Event table:

   Event
   | take 20
   

2. Filter records where the EventLevel is "Warning":

   Event
   | where EventLevel == "Warning"
   

3. Count the number of warning events by their source:

   Event
   | where EventLevel == "Warning"
   | summarize count() by Source
   

4. Display a time chart of warning events over the last 7 days:

   Event
   | where EventLevel == "Warning"
   | summarize count() by bin(TimeGenerated, 1d)
   | render timechart
   

Azure Log Analytics is a powerful tool for collecting, analyzing, and visualizing log data from various sources. By setting up a Log Analytics workspace, connecting data sources, and using Kusto Query Language (KQL), you can gain valuable insights into your Azure environment. Practice writing and running KQL queries to become proficient in analyzing your log data. In the next module, we will explore Azure Application Insights, another essential tool for monitoring and managing your applications.