Getting Started with Azure Log Analytics (OMS) - 2019 Update (AZ-103, AZ-300)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this demonstration we're now going to take a look at log analytics in the azure portal and if you're not too familiar log analytics has undergone a number of changes recently so if you looked at this maybe a few months ago you know basically early in January 2019 Microsoft ultimately changed everything around and log analytics you know ran through something called the OMS portal primarily and now things have all been migrated and blended into the azure portal as a whole which makes it a lot easier to get to so let's head over to the airport oh and we can show you how to get started there now in the azure portal a couple of things to be aware of is you probably saw from when you looked at the monitor and earlier on we can go to monitor and there is a section here called logs and this is essentially where we can query and analyze all the logs coming in using log analytics if I click logs straight away what you'll see on the right-hand side has it loads up here is the workspace for log analytics that opens up now you might already have a default workspace in there in my case I've moved over and actually told it to look at the log analytics workspace I've created I'm gonna show you how to create one of those in just a second if you're unsure just go ahead and click the little settings select workspace option here and this is where you can change the subscription and workspace that you're connected to if you if you so desire but with that said let's go ahead and create a brand new log analytics workspace and this is where you'll connect data sources to this is where your logs and data come into and then you can query them and you know create graphs and nice charts and everything else from there so let's go ahead and do that so we're going to create a resource and we'll type in log analytics that comes up and we'll click create and you can see our first thing that says create new or linked existing so if we want to we can link to an existing log analytics workspace that we have out there I don't have one in my case so I'm just gonna go in and create a new one but if I click create new we'll be prompted for the name so I'm gonna call this AZ demo temp cuz I actually already created one which we'll use for the demo but I want to show you how this gets created so I'm just making this one temporary in my demonstration I choose my subscription because I do get charged for log analytics as you'll see in a second and then I choose the resource group or just give it a new one it's called as temp log analytics RG choose the location where all the data is going to be stored so I'll just use East us and then my pricing tab now historically there were a number of pricing tiers but the new arrangement is basically per GB so you just pay for the storage utilized so simple pay-as-you-go model that you basically have now with that said we just click OK and that goes ahead and initiates that deployment and that will take maybe a minute or so now while that one's deploying let's go ahead and look at one that I've already got created so I'm going to go over to resources I'm going to scroll up to resource groups and you'll see I've got a resource group here called AZ log analytics if I click into that one you'll see what I've got inside here which is a couple of VMs I've already pre provision so go to Linux VM a Windows VM which I'm gonna use to show you some of the logs and performance reporting and more specifically if I scroll to the top this is my workspace AZ demo workspace log analytics workspace which is in East US so if I click into that that'll take me to my log analytics workspace and on the right before we begin you'll see getting started with log analytics it's got things like connect the data source configure your monitoring solutions and then maximize your experience by searching and analyzing logs and managing alerts rules we already covered alerts and action groups already which is something you can link to log in oolitic s-- and search and analyze logs is where we're gonna spend a bit of time in this demonstration now before you can go ahead and search and analyze logs and get anything meaningful you do have to connect two data sources to log in oolitic basically you've just created an empty workspace there's no data being fed into log analytics so if you scroll down the first thing you want to do on the left-hand side if we scroll all the way down you'll see workspace data sources and if I click virtual machines to begin with and you'll see here I've got Linux VM 0 1 not connected and I've got wind VM my Windows VM connected to this workspace and if you had lots of lots of machines you might connect them all to the same workspace you might connect them to other workspaces the good thing is you can query across workspaces you just have to specify the other workspace when you get to the point but the major point being here is that this is where the logs are being sent to so this Windows VM I've already configured it to send logs to this workspace now how do we configure it well let's do it for the Linux VM because that one's not connected yet so if we click this one and you'll see there's a simple item at the top it says connect see it says not connected status not connected no workspace named VM is not connected to login oolitic s-- if I click connect it will go about connecting that VM in here and essentially there's an agent that runs on the machine that pushes the data up to login oolitic so we'll let that one go ahead but the good thing is we've already got that Windows one connected so we can start to pull data from it now the few other things we need to configure as well so aside from saying you know connect my VM Zeena you might not want to go in and click every one of these each time so you can automate that in a couple of ways you could do it using Azure automation or more specifically a lot of people one of the azure security center settings is to make sure the VMS and their log data in as well but with that that's jumped to the top a little bit now so I'm going to go up to the Advanced Settings because it's one thing to say connect the VM to login oolitic s-- and you can see here for good advance that i'm connected sources windows server 1 windows computer connected Linux should still say zero because that one's not configured here are the manual steps to configure it as well so you can download the agent you can log into the machine install the agent and then use these keys to connect it in if you want to as well again that's how we connect services in and you can see that Linux VM one has completed while we've been what we've been going through this demo already now if we get a data next thing we can see here is the Windows Event log windows performance counters Linux performance counters etc and we can go here and choose the log that we might want to send over so perhaps we type in system and we can send the system log for Windows across when we can press the plus sign here and now it's going to send the errors warning information logs from windows across there as well we could type application and we could get all the application logs sent across as well so just remember this is the same as on a Windows server if you log in and go to your event viewer you'll see those logs there and it's the same concept basically same for performance if I click down go to performance counters you know remember we've got all that data from the hypervisor that data has you basically can monitor already there in our metrics section but what if we want to get additional data like logical discounters memory etc these all OS based metrics that we want to get from inside the OS we can simply click Add the selected performance counters here they are choose the interval you want to collect in and those will be added as well if we go down to Linux performance counters same concept we click this little box at the top first of all and here we've got a whole bunch of Linux counters here that we can add as well and again we can continue on for other counters and logs that we want to add and when we're done we simply click Save and then that will you know adjust those settings for us and there we go configuration will save successfully if we scroll back over to the left all the way now I'm going to drop all the way back down on the left hand so I don't know we're it's sort of jumping around a bit but it's just that the nature of the the menu system yeah so again we've got VM as a data source and that's connecting those VMs in where I just was now in Advanced Settings that's the type of data I want to collect from those sources but there's other sources we can have as well like storage account logs as your activity log this is a very common one a lot of people use the activity log and you can see here here's my subscription and if I want to get the activity log for that entire subscription I can click this one here and connect that in as well and now ash is going to send those activity logs all the things that happen in that subscription up to log in oolitic s-- as well so you can see it's very powerful but can get very you know very large very quickly because you start to connect more and more data sources in you can have custom data sources as well and you've got a lot of data going into log in or lytx so that's step one and if you are doing this and trying to follow along from a demo perspective make sure to do this you know connect a bunch of VMs maybe run some performance you know intensive application on them so you get some data kind of sent in you know wait 30 minutes before you kind of proceed with kind of the next things that I'm going to show you here so if we go back over to AZ Log analytics and go into our workspace again now what we'll do is go to the log section so I'm going to go down and click logs now again I can go to Azure monitor on the left-hand side scroll down monitor and I could click logs from in there I'm ultimately getting to the same place I just need to make sure I'm looking at the same workspace but lots of ways to get to the same information and that can be a little bit confusing at first so so don't worry just make sure you're in the correct workspace to begin with so here we are I'm gonna scroll to the right a little bit you can see this is the query area where I can ultimately run queries now Microsoft does show you a bunch of them below you know select queries for heartbeat performance usage that again there's those tutorial sections on the right as well if you want to get more information but I'm gonna start you off with just some simple things to try first of all to get used to the platform so I'm gonna zoom out a little bit here and then immediately that's going and type a query let's start with a very basic query in this section and we can go ahead and type tough if we just want to look at the per floor you'll see the intellisense starts to complete that for you but if i just type perf and click run you'll see it's gathering the data and here are all those different counters so you can see logical disk on the linux vm just transfers free megabytes performance etc those are all that I can also go in and just type in heartbeat as an example another heartbeat tells us if the agent has ultimately checked in so again just heartbeat nothing else after it you will notice if you type in with intellisense and you tab through it it'll sort of fill it in for you and get you on to the next thing which will come on to shortly but if you're just trying to type heartbeat make sure you don't have anything else they're just heartbeat and then click run and then you can see it's pulling in that data and I can click into one of these click through here scroll down and we can see what machine it came from so we can see windows vm 0 1 he has the IP address of that machine let's go further down again we can see that type heartbeat so that's how heartbeat data that we've got there well that's not super useful just by itself I mean if you just want to get off get data all the heartbeats great and you can certainly choose to put it in a table other formatting if you if you want to and you can filter by time range on the top here as well but probably a little bit more useful let's say we just want the heartbeats from windows vm zero one so I do heart beat and I do pipe to wear so I can tab through that wear computer and I'll tab through you do equals equal so that means is equivalent to and I can put quotes win VM 0 1 and let's actually just check the spelling or that is case-sensitive so yeah win vm 0 1 looks correct and click run and now I'll get that data and it'll just be all of the heartbeats for win vm 0 1 okay so we're starting to get something yeah but what about if I say okay I just want the heartbeats where the time generator was in the last hour so again we can pipe that again and I can say where I can do time generator can we can tab through because it does help you here we can do greater than ago and then we can put in there 1 H for one hour and click run again let's see what happened that should be a lowercase H so we hit that and click run again and we can see here's all our heartbeats and if we look at the timestamps they're all within the last hour okay so that's heartbeats you know useful if we're just trying to troubleshoot as an agent checking in and maybe troubleshoot in the service itself but something that's very common our events so let's go to event again we can type in just event and actually I do this every time I'm trying to create new queries is I just query the service I'm trying to get a from just to make sure I've actually got data so as you can see there's only one event ultimately you know coming in right now from when VM zero one well it's a new machine not too much has happened with that machine but I do have an event ID and that I can use to show you something you know a little bit more advanced so I can say well what if I just wanted events where event ID so where event ID equals equals and I can do that event ID 703 six and if you're not sure that even ideas it's a common one just shows that a service has entered a running or stopped state in this case it's the WMI service in Windows itself I can click run on that and that will pull up that login again I've only got one right now but you had lots and lots of events from Windows that will pull in that and those what those would come in you know for you as well okay so that's events heartbeats let's go back to performance because that gives us a little bit more data to actually play with so if we go to performance now so again perf I can do where time generated again ago so I can do say one hour and I can do where counter name equals equals at quote percent space processor time and end quote again make sure you got the space between the percent and processor and process and time and then click run and as you can see on the bottom here all of our counters for processor time you know they'll counter values the instance that that's affecting so you can see your linux vm zero one here and you know we can tab through if we keep going you'll see we've got some wind vm 0 1 and the next V M 0 1 you know with different kind of processor you know CPU utilization now that's not super easy to view in a table so perhaps we want to render it as a time shot so what you can do now a little bit more advanced you can basically pipe this you know to a summary so summarized and then we can do average so we'll say the average tab again here I'll choose the counter value that I want to actually filter on so this is the counter value that's this column that you see here which actually has the value of CPU time and now I can do it by computer so if I want to I can say by computer and then we can do with a bin size of let's say we want to do every 15 minutes if time generated 15 em and then we can say okay we want to render a time shot out of all of this so a few extra things we've added we're summarizing by the counter value by the computer and we're using a 15 minute interval there so let's give that a go and run that one I can't we've got a syntax error here so let's see where that is okay it looks like I just forgot to close a bracket right here so we'll put that one in and click run and there we go there's our visualization and you can see right now it's got Linux VM zero one not seen much data for wind vm zero one you can see the little dot down here and that might just be the hasn't got enough data for it now we can also zoom in a little bit so we could change this time generated to be just say one minute and the graph will start to form a little bit better as you can see because now we sort of breaking it down in one minute intervals and we can see there's some you know CPU activity within those thresholds but there wasn't when we just kind of looked at the 15-minute bucket averages that were there as a whole so with that that's how you query logs now you're not gonna keep going through all logs yeah this will definitely get you what you need for the exam just know how to kind of read these understand how they work and then you can basically go from there now let's move on to alert rules themselves now what you can do is you can take the query that you have and immediately go in here and click new alert rule so any queries that are out there anything you find out you know on the web that you know other people have created around blog analytics and the queries then you can basically go in there just like we did with alerts and action groups previously the only difference being that your source now is going to be the workspace you'll need to define the conditions and that happens so you can click in here and decide you know what what is your signal logic that you basically want to query on so again here right now if you put your query and it's gonna take the last one that you had and actually put it right there and then you would put your alert logic below now just doing something of a query like a time shot isn't probably super useful it would just think be things like okay number of results if there's a lot of results greater than X then maybe maybe set an alert but you could do things like number of heartbeats received you know you could use those queries and then you just carry on as normal we're not gonna revisit this right now because we've already covered action groups but you would choose your query choose your conditions and then choose your action groups just like you would everything else and that's one of the beautiful things about Azure is just the way that you can use the same concept from action groups to decide what to do with the events and the events can come from different sources whether that's you know something like we're looking at now and log analytics or some of the metric monitors that we looked at in one of the earlier demonstrations as well so we'll come back out of this now I'm going to come out of out of action groups and rules here and go back to our workspace here we are back in the workspace and the last thing I want to show you all the solutions area so if you are coming from a previous RMS you know background solutions used to be in the OMS portal they will change now they've embedded solutions directly and now on the left-hand side now to get solutions in you no longer have the menu inside of long analytics you go to the marketplace for them so if we go to the top left and click create a resource up comes our marketplace and if we scroll down on the left hand side you've got management tools and on the right hand side if I expand the featured list here you'll start to see all those plugins that previously existed again if you're familiar you know with log analytics before common ones security and compliance patching through update management this is a common one a lot of people are looking at this now to even replace services that perhaps they had on-premises before like even Bladelogic and things like that so if I click in an update management and say I want to add this pack in this comes with a whole bunch of dashboards a whole bunch of queries a whole bunch of additional things that that you can utilize this one actually uses a has your automation to do a lot of patching and things like that and you simply click create I'm going to zoom back in a little bit here now and choose our log analytics workspace that we want to use I'll do a Z demo workspace and you'll see there's some additional settings that you sometimes have to utilize in my case this particular marketplace Edition requires that we have an automation account as well so now in case you would create an automation account this is as your automation covered in a in a different lecture entirely that I could create here right now or if I had one already created I would simply select it but I don't need to go and set that one up now show you a couple others so if we go back to the management tools section one common one is this security and compliance one so if we click this one and click create some of the concepts like your workspace and recommended solutions all might want to add as well click create and that one's going to go ahead and deploy and we'll fast forward yeah while that completes okay and that's completed so we'll go to that resource and to access it we go to the workspace and then into solutions and then we would select in our case this anti-malware solution there now again just to remind you where to get to that we can go back to the workspace log analytics workspace sometimes you get a few blades deep and it's hard to find if you're in the workspace scroll down go to solutions and they will see that security and anti-malware solution that's in place I can click the security one now as well and you'll see on the right-hand side some of these dashboards that are already now created for us and you can also basically get the queries as well as any of the kind of pre created little widgets that you like you can you can go ahead and gain the queries from those as well just like Security Center now again if we go back one more time the last thing I want to show you in this section there's a pretty big demonstration is the view designer as well so if I click the view designer this is a place where I can take queries and start to design my own little widgets based on queries as well now some pre-canned it'll show you how to do it so if you click the donut as a common one and put this on yeah this is the overview tile so this would be the overview that you would then you know click into to drill down and get more information and then you've got the view dashboard where you can put additional things in there maybe it's lists of queries maybe it's number lists you know it's information you want to show maybe it's stacks of line charts of performance maybe your favorite application that you're troubleshooting you know that you work on day in day out and you admin you want to create your own dashboard for that this is where you essentially would do that if I go back to the overview tile for a second you'll see I when I click the donut in my case it's prefilled some things for me already because we've got per flog heartbeat and azure activity those were those data sources that I was connecting in previously and I can give a name for this view so we'll call this nick's view give it a description if you want to and if you scroll down here you can see those queries so he has the search it's summarizing the aggregate value and it's purely just a count of those particular logs of perth heartbeat and hours your activity but scroll further down again you can see we can modify the colors and things like that as well and do any dataflow verification that we want to which you know is not scoped what we want to do right now but with that once I'm done I can simply click Save and then now I've essentially created my own view so you can see nick's view here and then i can click into there there won't be anything there because we didn't create anything in that second section but if I want to I can continue to create more and more views inside of that major view so again I'm drilling down deeper and deeper as I go but I do have to facilitate that with a query at every single level and then if I want to if I go back to my overview if I want to I can pin this to my dashboard so I can say okay I want this on my main dashboard in Asia now it's pinned I can click the dashboard takes me to my main section and I can rearrange this just like any other dashboard widget I've got but now I've essentially got it here and I can put it in you know any dashboard I want so a lot of power a lot of things to cover in log analytics key things to remember know the basics of the query language know how to read queries know about the view designer and the solutions that have ultimately been moved because I did go through a lot of change and last but not least just again remember the alerts and the action groups just like you had from from the previous demonstrations and with that that concludes this demonstration [Music] you
Info
Channel: Skylines Academy
Views: 26,589
Rating: 4.909502 out of 5
Keywords: az-103, az-300, azure, microsoft, log analytics, oms, beginners, guide, getting started
Id: Zoo-RsJGCu0
Channel Id: undefined
Length: 23min 30sec (1410 seconds)
Published: Wed Jul 31 2019
Related Videos
Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
Adam Marczak - Azure for Everyone
240K
Getting Started with Azure Log Analytics (OMS) - Query, Visualize, and Alert (AZ-100,70-533)
Skylines Academy
29K
Building Modern Data Warehouse with Azure Synapse Analytics! - Mahesh Balija
SQLBits
852
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
Automation - #6 - Azure Update Management
Azure Academy
18K
Azure Application Insights Tutorial | Amazing telemetry service
Adam Marczak - Azure for Everyone
68K
Azure OMS Log Analytics Step by Step - Adding Custom Logs
Travis Roberts
10K
AZ 303/304 Prepare for disaster recovery with Azure Site Recovery, Replication, Recovery Plan - LAB
Cloud Security Training & Consulting
2.3K
28 - Introduction to Landing Zones
Cloud with Chris
1.1K
Mastering Azure Monitor (April 2020)
ukazure
7K
Azure Automation Tutorial | Automate PowerShell execution
Adam Marczak - Azure for Everyone
41K
Microsoft Azure Master Class Part 9 - Monitoring and Security
John Savill's Technical Training
23K
Azure Analysis Services Tutorial | Scale Power BI reports into hundreds of GBs
Adam Marczak - Azure for Everyone
48K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.