Configure log settings in Azure Monitor

Monitor resources in Azure

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What Are Logs in Azure Monitor?

Azure Monitor logs contain event-based data generated by resources and services. Logs help answer questions such as:

  • Did a virtual machine restart?
  • Did someone modify a network security group?
  • Why did an application fail?
  • Which firewall rules blocked traffic?
  • How did an Azure SQL database perform at a specific time?

Logs help you audit, troubleshoot, and analyze what is happening across Azure.

2. Types of Logs in Azure Monitor

Understanding log types is essential for configuring log settings correctly.

2.1. Activity Logs

  • Record control-plane operations (resource-level actions).
  • Example: creating a VM, updating a VNet, deleting storage accounts.
  • Automatically collected for every subscription.
  • Stored for 90 days by default.
  • Can be sent to:
    • Log Analytics Workspace
    • Event Hub
    • Storage Account

2.2. Resource Logs

(Previously called Diagnostic Logs)

  • Capture data-plane operations inside resources.
  • Show what is happening within a service.
  • Examples:
    • Azure Firewall logs (allowed/denied traffic)
    • Key Vault access logs (secret retrieval attempts)
    • NSG flow logs (network traffic patterns)
    • Storage account read/write access logs

Resource logs are not collected by default — you must enable them.

You also choose:

  • Which log categories to collect (e.g., Audit, Performance, Requests)
  • Where to send/store the logs

2.3. Azure AD Logs (Now part of Entra ID)

  • Sign-in logs
  • Audit logs
  • Provisioning logs
  • Identity Protection logs

AZ-104 covers how to integrate Azure AD logs with Azure Monitor, especially sending them to:

  • Log Analytics workspace

3. Configuring Diagnostic Settings (Key Exam Topic)

What is a Diagnostic Setting?

It tells Azure which logs to collect and where to send them.

You can configure diagnostic settings for:

  • VMs
  • Storage accounts
  • VNets
  • Azure SQL
  • Application Gateway
  • Key Vault
  • Azure Firewall
  • Load Balancers
  • Many others

Where can logs be sent?

When you configure a diagnostic setting, you can choose one or more destinations:

DestinationPurposeExam Points
Log Analytics WorkspaceQuery logs using KQL, use workbooks, alerts, dashboardsMost common destination
Storage AccountLong-term archive, compliance retentionCheapest for storage
Event HubStream to SIEM systems like SplunkIntegration use cases
Microsoft Sentinel (via workspace)Advanced security analyticsAdded benefit but AZ-104 touches lightly

4. Steps to Configure Log Settings for a Resource

The exam often tests these steps.

Step 1 — Open the Resource

Go to the Azure resource (e.g., Storage Account, Key Vault, VNet, Load Balancer).

Step 2 — Select “Diagnostic Settings”

Under “Monitoring”, choose:
Diagnostic settings

Step 3 — Create a New Diagnostic Setting

Click:
Add diagnostic setting

Step 4 — Choose Log Categories

Depending on the resource, categories may include:

  • AuditLogs
  • RequestLogs
  • PerformanceLogs
  • NetworkRules
  • FirewallLogs
  • SignInLogs (for Entra ID)
  • FlowLogs (for NSGs via Network Watcher)

Step 5 — Choose the Destination

You can select:

  • Send to Log Analytics
  • Archive to Storage Account
  • Stream to Event Hub

Step 6 — Save the Configuration

From now on, logs will flow to the chosen destination.

5. Configuring Logs for Key Azure Services (High Exam Value)

Below are important resources the AZ-104 exam expects you to know logging for.

5.1. Virtual Machines (VMs)

VMs require the Azure Monitor Agent (AMA) or Log Analytics agent (legacy) to collect logs.

VM Log Types:

  • Syslog (Linux)
  • Windows Event Logs
  • Performance counters (CPU, memory, disk)
  • Guest OS update logs

How to Configure:

  1. Connect VM to a Log Analytics Workspace.
  2. Install Azure Monitor Agent.
  3. Configure Data Collection Rules (DCRs).

5.2. Network Security Group (NSG) Flow Logs

Enabled through Network Watcher.

Flow logs show:

  • Allowed/denied traffic
  • Source and destination IPs
  • Ports and protocols

Logs can be sent to:

  • Log Analytics via Traffic Analytics
  • Storage Account

Exam focus: enabling flow logs requires Network Watcher.

5.3. Azure Firewall Logs

Azure Firewall produces:

  • Application Rule Logs
  • Network Rule Logs
  • Threat Intelligence Logs

These logs are configured via diagnostic settings.

5.4. Storage Account Logs

You can log:

  • Read
  • Write
  • Delete
  • Authentication failures

Useful for security auditing and troubleshooting.

6. Log Analytics Workspace (Central Logging Repository)

Most logs end up in a Log Analytics Workspace.

A workspace allows you to:

  • Query logs using Kusto Query Language (KQL)
  • Create alerts
  • Visualize data with workbooks
  • Integrate with Microsoft Sentinel

Important Workspace Settings:

  • Retention configuration (30 days default, up to 2 years)
  • Access control (RBAC) for viewing logs
  • Linked services (VMs, networks, etc.)

7. Enabling Logs for Azure Activity Logs (Subscription-level)

While Activity Logs are automatically collected, you must configure where to export them.

Steps:

  1. Go to Azure Monitor
  2. Select Activity Log
  3. Choose Export Activity Logs
  4. Select:
    • Log Analytics workspace
    • Event Hub
    • Storage Account
  5. Save

This ensures you retain logs beyond 90 days.

8. Alerts Based on Logs

Azure Monitor allows alerts that use log data.

Examples:

  • Alert when a VM is stopped unexpectedly
  • Alert when an NSG blocks critical traffic
  • Alert when Key Vault has unauthorized access attempts

You create:

  1. A log query
  2. An alert rule
  3. An action group (email/SMS/webhook)

9. Security & Governance Considerations (Appear in exam)

  • Logs may contain sensitive data; use Access Control (IAM) to restrict access.
  • For long-term retention (years), use Storage Account with lifecycle management.
  • Ensure encryption at rest (enabled by default).
  • Use immutable storage if logs must be tamper-proof.

10. What You MUST Know for the AZ-104 Exam

✔ Activity Logs are automatic and subscription-level
✔ Resource Logs must be manually enabled
✔ Logs can be sent to Log Analytics, Storage Accounts, or Event Hubs
✔ You must configure Diagnostic Settings to enable resource logs
✔ VM logs require Azure Monitor Agent
✔ NSG flow logs require Network Watcher
✔ Log Analytics Workspace is the main log repository
✔ You can configure alerts based on logs
✔ Default retention for Activity Logs is 90 days
✔ Retention in Log Analytics Workspace is configurable

Summary

Configuring log settings in Azure Monitor ensures that you collect the right data from the right resources and store it in the right place. For the AZ-104 exam, focus heavily on:

  • Understanding different log types
  • Knowing how to configure diagnostic settings
  • Sending logs to Log Analytics Workspace
  • Using logs for troubleshooting and alerts
  • Configuring logging for network resources, VMs, and subscription activity

Mastering these concepts will help you answer questions about monitoring, security, auditing, and troubleshooting during the exam.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by