Monitor resources in Azure
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Monitoring in Azure is not just about collecting logs—you must be able to query them, analyze them, detect issues, and produce insights. Azure Monitor provides powerful tools to help you do this, especially through Log Analytics and the Kusto Query Language (KQL).
This topic is very important for the AZ-104 exam, so read carefully.
1. What Are Logs in Azure Monitor?
Azure Monitor logs store event-based data generated by Azure resources, applications, and services. Examples include:
- Virtual machine activity logs
- Network security group flow logs
- Azure AD sign-in logs
- Azure Firewall logs
- Application performance logs
- Custom logs that you collect from servers
All this log data is stored inside a Log Analytics Workspace, which is the central place for querying and analyzing logs.
2. Log Analytics Workspace – The Heart of Log Querying
A Log Analytics Workspace:
- Stores data in structured tables
- Allows you to run KQL queries
- Supports dashboards, alerts, logic apps, automation
- Integrates with Azure Monitor, Azure Security Center, Sentinel, and more
Common tables you will see:
| Table Name | Purpose |
|---|---|
AzureActivity | Control-plane operations (portal, CLI, ARM actions) |
Heartbeat | VM availability monitoring |
Perf | VM performance metrics (CPU, memory, etc.) |
SigninLogs | Azure AD login attempts |
SecurityEvent | Security logs from VMs |
VMConnection | Connection logs from VMs |
InsightsMetrics | App and VM insights data |
3. Introduction to Kusto Query Language (KQL)
KQL is the language used to query logs stored in Azure Monitor.
You DO NOT need to memorize complicated syntax for the exam, but you must understand:
- How queries are structured
- How to filter, sort, and summarize data
- How to work with time ranges
- How to create charts from queries
- How to troubleshoot using queries
Basic Query Structure:
A query follows a simple pipeline format:
Table
| filter Condition
| summarize Aggregation by Field
| order by Field desc
4. Common KQL Operations You Must Know for AZ-104
4.1 Filtering logs
Example: Show failed sign-ins from Azure AD:
SigninLogs
| where ResultType != 0
Example: Show all events from the last hour:
AzureActivity
| where TimeGenerated > ago(1h)
4.2 Selecting specific fields
Heartbeat
| project TimeGenerated, Computer, Category
4.3 Sorting results
AzureActivity
| order by TimeGenerated desc
4.4 Summarizing (Grouping) logs
Example: Count sign-ins per user:
SigninLogs
| summarize Count = count() by UserPrincipalName
Example: Average CPU usage on a VM:
Perf
| where CounterName == "CPU Percentage"
| summarize AvgCPU = avg(CounterValue) by Computer
4.5 Time-based analysis
Perf
| where TimeGenerated > ago(24h)
Example: CPU usage trend over time:
Perf
| where CounterName == "CPU Percentage"
| summarize AvgCPU = avg(CounterValue) by bin(TimeGenerated, 5m)
This groups CPU usage into 5-minute buckets for trend analysis.
5. Visualizing Logs
Azure Monitor provides built-in charting options for query results:
- Line charts
- Bar charts
- Pie charts
- Scatter plots
Example: Create a chart to view VM CPU trends:
Perf
| where CounterName == "CPU Percentage"
| summarize avg(CounterValue) by bin(TimeGenerated, 5m)
| render timechart
This is particularly important for understanding performance issues in real environments.
6. Create Alerts from Log Queries
You can convert a KQL query into an alert rule.
Steps:
- Run a query in Log Analytics
- Click New Alert Rule
- Choose the signal (query result)
- Set threshold (e.g., CPU > 80%)
- Select Action Group (email, SMS, webhook, ITSM)
Exam concept:
Alerts from logs are called Log Alerts, and they run on a schedule, not real-time.
Example use cases:
- Too many failed logins
- VM CPU is high
- NSG seeing too many denied connections
- Azure Firewall generating too many threats
7. Using Workbooks for Log Analysis
Azure Monitor Workbooks allow you to:
- Build dashboards
- Combine metrics + logs
- Visualize multiple charts
- Export/share dashboards
Workbooks are useful in IT operations, for example:
- Tracking VM performance
- Monitoring network traffic
- Observing application failures
Exam Tip:
Workbooks use KQL queries internally.
8. Using Log Analytics for Troubleshooting
This is extremely important for the exam.
8.1 Troubleshoot VM Issues
Check VM availability:
Heartbeat
| summarize LastSeen = max(TimeGenerated) by Computer
Check CPU usage:
Perf
| where CounterName == "CPU Percentage"
| summarize AvgCPU = avg(CounterValue) by Computer
8.2 Troubleshoot Networking Issues
Check denied NSG traffic:
AzureNetworkAnalytics_CL
| where FlowType_s == "Blocked"
Check latency:
NetworkMonitoring
| summarize avg(LatencyMs)
8.3 Troubleshoot Azure Resource Changes
AzureActivity
| where OperationName contains "Delete"
This helps administrators identify who deleted or modified resources.
9. Cross-Resource Queries
Azure Monitor supports querying multiple workspaces or subscriptions.
union workspace("WorkspaceA").Heartbeat, workspace("WorkspaceB").Heartbeat
| summarize count() by Computer
Exam Tip:
Use union for cross-workspace queries.
10. Log Retention and Data Management
You should understand:
- Log retention is configurable on the workspace (30 days default, can extend)
- Long-term retention costs extra
- You can export logs to storage accounts or Event Hub for archival or SIEM tools
- Use Data Collection Rules (DCRs) for ingestion control
11. Features That Rely on Log Queries (Important)
Azure services that depend on log querying:
| Feature | Purpose |
|---|---|
| Azure Monitor Logs | Central log store |
| Azure Sentinel (SIEM) | Advanced security analysis |
| Workbooks | Interactive dashboards |
| Alerts | Automated notifications |
| VM Insights | VM performance and map |
| Container Insights | Monitoring Kubernetes clusters |
| Network Watcher logs | Network monitoring |
Azure Monitor logs are used everywhere, so AZ-104 tests this broadly.
12. What AZ-104 Expects You to Know
You should be able to:
✔ Identify where logs are stored (Log Analytics Workspace)
✔ Understand basic KQL
✔ Run simple log queries
✔ Filter, sort, project, and summarize data
✔ Create alert rules using queries
✔ Troubleshoot resource issues with logs
✔ Visualize results (charts, tables)
✔ Use workbooks and dashboards
✔ Manage log retention
✔ Query multiple resources at once
Exam Tips
- You do NOT need to write advanced KQL, but you must read and understand simple queries.
- Know which tables store which data.
- Know how to run queries and create alerts.
- Know the difference between logs and metrics.
- Understand how data flows into Log Analytics via DCRs or diagnostic settings.
Conclusion
Querying and analyzing logs in Azure Monitor is a core skill for any Azure Administrator. In the AZ-104 exam, you will see questions that require you to:
- Know where logs are stored
- Understand KQL basics
- Use logs for troubleshooting
- Build alerts and dashboards
With the knowledge in this guide, you will be fully prepared for everything related to log queries on the exam.
