You cannot manage what you cannot observe. Azure Monitor is the unified observability platform for Azure — it collects metrics, logs, and traces from every layer of your stack: Azure infrastructure, operating systems, applications, and even on-premises servers. Log Analytics is the query engine that makes all that data actionable. Together they give you the visibility to troubleshoot outages, optimize performance, and set intelligent alerts.
Azure Monitor Architecture
Azure Monitor ingests data from two primary sources:
- Metrics: Numerical time-series values collected every minute from Azure resources automatically — CPU percentage, network bytes, request latency. Stored for 93 days by default at no additional cost.
- Logs: Structured and unstructured records including audit logs, diagnostic logs, custom application telemetry, and Windows/Linux event logs. Stored in a Log Analytics Workspace and retained for 30 days by default (configurable up to 2 years).
Creating a Log Analytics Workspace
A Log Analytics Workspace is the central repository for all your log data. Create one per environment (not per application) to simplify cross-resource querying.
# Create a resource group
az group create --name rg-monitor-demo --location eastus
# Create a Log Analytics Workspace
az monitor log-analytics workspace create
--resource-group rg-monitor-demo
--workspace-name law-prod-eastus
--location eastus
--sku PerGB2018
--retention-time 90The PerGB2018 SKU charges per GB of data ingested beyond the free tier (5 GB/month). For most small environments, costs are negligible.
Enabling Diagnostic Settings
Azure resources do not send logs to your workspace automatically — you must enable Diagnostic Settings for each resource. You can do this through the Portal (Resource > Diagnostic settings > Add diagnostic setting) or via CLI:
# Get the workspace resource ID
WORKSPACE_ID=$(az monitor log-analytics workspace show
--resource-group rg-monitor-demo
--workspace-name law-prod-eastus
--query id -o tsv)
# Enable diagnostics for a storage account (sends read/write/delete logs)
STORAGE_ID=$(az storage account show
--resource-group rg-storage-demo
--name mystorageacct2026
--query id -o tsv)
az monitor diagnostic-settings create
--name diag-storage
--resource "$STORAGE_ID"
--workspace "$WORKSPACE_ID"
--logs '[{"category": "StorageRead","enabled": true},{"category": "StorageWrite","enabled": true}]'
--metrics '[{"category": "Transaction","enabled": true}]'Querying Logs with KQL
Log Analytics uses Kusto Query Language (KQL) — a powerful, readable query language designed for time-series log analysis. Navigate to your workspace in the Portal and open Logs to access the query editor.
Useful KQL queries:
# Top 10 errors in the last 24 hours
AzureActivity
| where TimeGenerated > ago(24h)
| where ActivityStatusValue == "Failure"
| summarize count() by OperationNameValue
| top 10 by count_
# VM CPU usage over time
Perf
| where TimeGenerated > ago(1h)
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize avg(CounterValue) by bin(TimeGenerated, 5m), Computer
| render timechart
# Failed login attempts
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType != "0"
| summarize FailedAttempts=count() by UserPrincipalName
| order by FailedAttempts descCreating Metric Alerts
Metric alerts fire in near-real-time (typically within 1 minute) based on numeric thresholds:
# Create an action group (email notification)
az monitor action-group create
--resource-group rg-monitor-demo
--name ag-ops-team
--short-name OpsTeam
--action email ops-alert admin@yourcompany.com
# Alert when VM CPU exceeds 85% for 5 minutes
VM_ID=$(az vm show --resource-group rg-vm-demo --name vm-webserver --query id -o tsv)
az monitor metrics alert create
--resource-group rg-monitor-demo
--name alert-vm-cpu-high
--resource "$VM_ID"
--metric "Percentage CPU"
--condition "avg Percentage CPU > 85"
--window-size 5m
--evaluation-frequency 1m
--severity 2
--action ag-ops-teamLog Alerts with KQL
Log alerts evaluate KQL queries on a schedule and fire when conditions are met:
- In the Portal, go to Monitor > Alerts > Create alert rule.
- Select your Log Analytics Workspace as the scope.
- Under Condition, choose Custom log search and enter your KQL query.
- Set the threshold (e.g., alert when result count > 0).
- Choose an Action Group to receive notifications.
Azure Monitor Dashboards
Pin metrics charts and KQL query results to a shared Azure Dashboard. This gives operations teams a real-time overview of the entire environment's health without writing code. Navigate to Monitor > Workbooks for more sophisticated, interactive reports that combine metrics, logs, and markdown annotations.
Key Takeaways
Azure Monitor and Log Analytics give you complete observability across your Azure environment. Create one Log Analytics Workspace per environment, enable Diagnostic Settings on every resource, build KQL queries to surface actionable insights, and configure metric and log alerts so your team knows about problems before users do.