Open in app

Sign in

Write

Sign in

The Best Guide To Azure Log Analytics Workspace

Techieberry
12 min readJan 31, 2021

What is Azure Log Analytics Workspace?

Azure log analytics workspace is a subset of the Azure Monitoring service. Log data collected by Azure Monitor is stored in a Log Analytics workspace, which is based on Azure Data Explorer. It collects telemetry from a variety of sources.

Why use Azure Log Analytics?

Many companies are already using Azure services; directly or indirectly. Directly is a workload like a virtual server or appliance. Indirectly would be using Azure Directory Services while using Teams. In either case there is already some level of experience with Azure. This includes Directory Synchronization and access delegation to service payments. Because of this adding Azure log services become a simple add-in.

Azure Log Services can be used to monitor more than just Room Systems. It can monitor all levels of a Windows based system as well as syslog services and direct file analytics. It offers a robust tools and query languages to develop reports on different types of logs.

Set up your Room Systems

Ensure that you have one teams room System completely setup and working. Having these setup now will make the next steps easier. If you don’t have IPv6 running, I will go through managing that in a later step. This includes the following components.

  • IP Connectivity (v4 and v6)
  • Camera
  • Audio Device
  • Device Ingest (HDMI In)
  • Signed into a room account

Setting up Azure Log Analytics

Setting up Azure log analytics is not just a click and go solution. There is setup required for this to work.

  • Setup and account in Azure
  • Setting up a Resource Group
  • Configure the workspace
  • Configure the logs
  • Setup the Dashboard
  • Configure Alerting

First you need to set yourself up with an account in Azure. Note that the Free Trial runs for 30 days with $200 credit. As a starting point to monitor 10 systems for 1 month is under $1/month. The more system you add and the more log files, the more it will cost. But for the cost of it and what it can do. Chrome seems to work the best with Azure.

https://azure.microsoft.com/en-us/free/

  • Click on Start Free Trial (or pay as you go, either way it is the same)
  • Go through the signup process, should only take about 10 minutes

Set up a Resource Group

A Resource Group is a container that holds related resources for an Azure solution. It is a logical grouping such as Room Systems, Log Analytics, storage accounts, virtual networks, and virtual machines (VMs) as a single entity. For example, you may want to create a Resource Group just for Room System Log Analytics.

  • Click Add
  • When you create your account, you either had a free trial or Pay-as-you go. From the Subscription choose that options
  • In the resource group enter a descriptive name. For more information about the naming conventions, visit the Microsoft website.
  • Under Region choose the location where you want your data stored. This is typically near your primary office. In this example I will call it VideoConferencing.
  • Once you have reviewed the configuration it will take a few minutes to create it.

Setting up the Workspace

A workspace is a container in which to manage a subset of data from a Resource Group. For example, to access, manage, and query data from Log Analytics a workspace is used.

  • Go to Azure Portal and Select All Resources
  • Click Add
  • In the Search type Log Analytics
  • At the bottom of the screen click Create
  • In the Workspace enter a name. This is just a name of a place to store the data and configuration. Typically this would be OMS… In this example I am using OMSDevices
  • Choose the subscription used when creating the Resource Group
  • Choose the location of where you want to store your data, this is usually the same as the Resource Group

Download the Agent

  • Click on All resources
  • There you should see the workspace just created, OMSDevices, click on it
  • Click on Advanced Settings
  • There you will get dropped into the agent details
  • Download the 64bit agent since you are most likely running 64bit Windows 10
  • You will need to copy the Workspace ID and Primary Key.

Install the Agent

There are two ways to install the agent, command line and the GUI. The GUI is pretty straight forward, so I will focus on the command line.

  • Extract the MSI file you can use 7ZIP or running the download with
  • Create a batch file with the following line in it (notice the quotes), save it as c:\source\MMA\installMMA.cmd
  • Open a command prompt with elevated permissions and run the above batch file
  • You can tell if the agent installed correctly in two ways. First check the control panel for the Microsoft Monitoring Agent
  • Go to the Azure Log Analytics Tab (OMS). If it shows a green checkbox you are good, if it shows anything else, remove it and re-add it. Most likely the WorkspaceID or Primary key are wrong.
  • Now WAIT at least 5 minutes, it takes some time for the device to show up in the advanced settings tab (from the same place where you downloaded the agent)

Configure Log Data

The steps listed below are derived from the Microsoft website. The entire process should take about 20 minutes to setup.

Configure the log sources

  • Configure the SRS logging
  • To get there click on click on All Resources, then the workspace (OMSDevices in this example)
  • and then advanced settings
  • Then click on Data Windows Event Logs
  • In the name enter the Room System and then the + to add it (it will not auto fill that event log since it is not a common file)
  • Then click Save (on the left side of the window, DON’T forget to SAVE)

Validate the logs

  • This can take a long time (sometimes up to a few hours) to retrieve the data. It depends on how long your system has been active and internet, and so on.
  • Click on Monitor in the left navigation window
  • Click on Logs
  • That will take you to the query window will you can enter their test commands. It can take some time for data to show up, so give it about 5 minutes
  • Then click Run. That should return a list in the bottom window. Repeat this for the other examples. Note that if you get stuck at “We’re getting your data, hang in there”, for a long time, you will need to start over.
  • I have found it helpful to save commands as I go
  • Click save in the right hand side
  • Then give it a name, save it as a query and a category. The category can be re-used. So the next time you save, it will be a drop down list as well as a free-form text.

Map Custom Fields

Before continuing make sure the SRS has been configured. To generate an event, unplug a device for 3 seconds and plug it back in. Then wait a few for the log to be updated in OMS. If you don’t do this, the next step will not be doable.

Mapping custom fields takes time, it is repetitive. In the example we will map the field Description

  • Run the search: Event | where Source == “SRS-App” and EventID == 2000
  • Expand one of the records, doesn’t matter which
  • Click the 3 dots … and choose Extract Fields
  • Check the box next to the Event ID, this should be checked by default
  • Under Rendered Description select the text of the field to the right of “Description”:
  • The first field that is being sampled is Conference Speaker Status. Select the value of that field.
  • When selected, you will be asked to give the field a name. Make sure you have the value correct, and assign it the name SRSEventDescription. The _CF cannot be changed.
  • Click Extract
  • This will then show you where that string shows up from the above query that you used to get to this screen
  • If you need to make a change to the selection you can click on the edit button at the upper right of the blue box and then select Modify this highlight
  • Then at the far right is the summary. This is also how you can double check if you checked the EventID box or not.
  • If everything is correct click on the save extraction on the bottom right
  • Once you click the Save extraction you will go b ack to the query window. You will now need to repeat these steps for each of the JSON fields:
  • If you are not running IPv6, you can skip that field, and changes to the dashboard will have to be manually edited.

Removing an incorrect JSON field

Once you have gone through and done these all and realized that you forgot to uncheck or check the EventID box, you will need to delete those entries and re-create them, here is how.

  • Go to All Resources WorkSpaceName (OMSDevices) Advanced Settings
  • Then click on Data Custom Fields
  • Find the field in question and click Remove. There is no way to edit the extraction. You will just need to re-create them.

Importing the Dashboard

The process can be found here.

  • Download the pre-canned view
  • Go to All Resources Select the Work Space
  • Click on View Designer
  • Click on import to upload the file
  • Upload the file TeamsRoomSystems_v2.omsview
  • Click save
  • After clicking save, press the push pin in the upper right corner to save it to your main Dashboard

Troubleshooting

Usually if you don’t see what you expect, it means that somewhere during the export you grabbed the wrong fields or gave it the wrong name. You can troubleshoot this by doing the following.

  • Go back to Logs Query window (Monitor Logs)
  • On the left under the Query Tab in the Schema Search type SRS
  • That will filter out and show you just the Custom Fields you created
  • In the Query Window enter the following. This example will show the IP address for all the computers. You can get the value for any with one of the values above. Note that this is all Case Sensitive.

If you are not running IPv6 or decided not to import a field you will need to manually remove it form the imported field.

  • In the dashboard click on Edit
  • On the properties windows scroll down to Click
  • Copy the text in the Navigation Query and paste it into notepad
  • Find the text that you want to remove. For example, SRSIPv6Address_CF,
  • Delete the text, make sure there is a space after all commas and paste it back into the Navigation Query field
  • Repeat this for each view in the Dashboard

Setting Up Alerts

The documented process for building alerts can be found at here.

  • Go back to log search and enter the following query (note that if you are not using IPv6 you should remove the SRSIPv6Address_CF.
  • Once the query returns records, click on the New alert rule
  • Resource should show the workspace for logs:
  • The Condition will show a red bang symbol, click on that
  • In the Based on section choose Number of results is greater than 0
  • Set the evaluated based on 60 minutes and frequency 60 minutes. You will need to adjust these times as needed. Basically this means every 60 minutes (frequency) it will see what happened in the past 60 minutes (based on).
  • Under Action Groups click Create new
  • Fill out the details, make sure to pick the Resource Group that contains the Log analytics workspace. Choose the type of action.
  • Once you fill that out, click the edit details. Usually Email/SMS/Push is most common, all of those are configured in the window that shows up. You will need to add an action item per email or push. So I would recommend distribution lists when possible (just to simplify the process)
  • In the details you can add the email address, push, SMS, etc…
  • When you have configured that single notification, click OK. And email or message will go to whomever you have configured in that specific policy.
  • When all of your Policies have been configure click OK to take you back to the main screen Check the box to change the subject to: Teams Room Systems v2 Hardware Failure Alert (or anything descriptive)
  • Then click Create alert rule
  • Now create a second rule. It will use almost the same process.
  • In the query window use the following statement (note that the SRSIPv6Address_CF has been removed in this example)
  • Click on the New Alert Rule
  • Set the Conditions the same as before
  • Under Action Groups, click Select existing:, the one you created previously
  • Change the subject to: Teams Room Systems v2 Application Failure Alert
  • Alert Rule Name: Teams Room Systems v2 Application Failure Alert
  • Description: List of devices that encountered an application issue within the last hour
  • Severity Critical (Sev0)

Changing Alerts

If you ever need to change alert (frequency, notifications, etc..), or view current alerts

  • Go to your resources and select the workspace
  • Under monitoring choose alerts
  • Then choose what you want to change

Advanced Queries

List Rooms with Details

This example will show details by computer, you can add any other details as well.

Event |
where EventLog == “Teams Room System” and EventID == 2000 and SRSOperationName_CF
== “Heartbeat” |
summarize by Computer, SRSAlias_CF, SRSAppVersion_CF, SRSOSVersion_CF,
SRSOSLongVersion_CF

Also Read: 11 Simple Ways To Securing Azure Functions

Azure
Microsoft Azure

--

--

Techieberry

Written by Techieberry

3 Followers

I'm a blogger

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams