#AzureMonitor – Resource Centric log alerts

When working with log-based alerts, a common ask is how to ensure the alert is associated with the resource and not with the underlying Log Analytics workspace.  An example of this issue is that alerts configured to notify the resource owner are sent to the Log Analytics workspace owner. Another problem is that the "affected resource" is the Log Analytic workspace, not the Azure resource.

One of the new features that surfaced in Azure Monitor recently is creating resource-centric log alerts, and in this blog post, we will show you three ways you can use this new capability.

To use this feature, you need to ensure your workspace access mode (Designing your Azure Monitor Logs deployment – Azure Monitor | Microsoft Docs) is configured to resource-centric.

In this example, we are using a Virtual Machine, but the concept remains the same for all resources.

Resource Context

To get started, navigate to the virtual machine in the portal, and select Logs under the Monitoring banner. You can now run a query against this machine:

Screenshot of Log Analytics query from a virtual machine context

You can now click the New alert rule button above the query window.

Screenshot of log query in alert context

As you can see, the query is populated automatically, and the measurement is also pre-populated for you.

Further down on this page, you can use the Dimension splitting experience to ensure the alert is split both by computer and by instance – in this case, you want to split by instance, as you want to get an alert per volume.

Screenshot of Dimension splitting in alert rule

You can configure the rest of the alert settings as you would typically do, assigning actions, etc, following the wizard.

When you create the alert this way, the alert rule is associated with the resource, such as the virtual machine. This is good if you want an alert for a single resource.

You can do the same from a resource group context or a subscription context.

Resource group context:

Navigate to the resource group > logs, run the query, and go through the process of creating the alert rule.

Screenshot of log query in the resource group context

Ensure you split the dimensions out to the resource to cover all future resources. The rule will be associated with the resource group. In contrast, alerts will be related to the individual resources raised, i.e., the affected resource will show the unique resource affected in the alerts view.

Subscription context:

For the subscription context, navigate to Monitor > Logs, and change the scope from the workspace to the subscription. Now you can create the alert rule as in the previous steps.

Screenshot of the log query in the subscription context

Again, ensure that you split out the dimensions correctly to cover all future resources.

This alert rule will now be associated with the subscription and all selected type resources in the subscription.

This approach means you can create alerts at scale, regardless of your environment’s resources and regardless of how many workspaces you are using.

As always, thank you to my friend and colleague, Anders, for the collaboration on this topic.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s