0
# Log Analytics and Query Rules
1
2
Scheduled query rules for log-based alerting using KQL queries against Log Analytics workspaces, and log profiles for activity log export (deprecated feature).
3
4
## Capabilities
5
6
### Scheduled Query Rules
7
8
Create and manage scheduled query rules that run KQL queries against Log Analytics data and trigger alerts based on results.
9
10
```python { .api }
11
def create_or_update(resource_group_name: str, rule_name: str, parameters: ScheduledQueryRuleResource, **kwargs: Any) -> ScheduledQueryRuleResource:
12
"""
13
Creates or updates a scheduled query rule.
14
15
Parameters:
16
- resource_group_name: str - Name of the resource group
17
- rule_name: str - Name of the scheduled query rule
18
- parameters: ScheduledQueryRuleResource - Query rule configuration
19
20
Returns:
21
ScheduledQueryRuleResource - The created or updated query rule
22
"""
23
24
def get(resource_group_name: str, rule_name: str, **kwargs: Any) -> ScheduledQueryRuleResource:
25
"""
26
Retrieve an scheduled query rule definition.
27
28
Parameters:
29
- resource_group_name: str - Name of the resource group
30
- rule_name: str - Name of the scheduled query rule
31
32
Returns:
33
ScheduledQueryRuleResource - The query rule details
34
"""
35
36
def delete(resource_group_name: str, rule_name: str, **kwargs: Any) -> None:
37
"""
38
Deletes a scheduled query rule.
39
40
Parameters:
41
- resource_group_name: str - Name of the resource group
42
- rule_name: str - Name of the scheduled query rule
43
"""
44
45
def update(resource_group_name: str, rule_name: str, parameters: ScheduledQueryRuleResourcePatch, **kwargs: Any) -> ScheduledQueryRuleResource:
46
"""
47
Update a scheduled query rule.
48
49
Parameters:
50
- resource_group_name: str - Name of the resource group
51
- rule_name: str - Name of the scheduled query rule
52
- parameters: ScheduledQueryRuleResourcePatch - Properties to update
53
54
Returns:
55
ScheduledQueryRuleResource - The updated query rule
56
"""
57
58
def list_by_subscription(**kwargs: Any) -> ItemPaged[ScheduledQueryRuleResource]:
59
"""
60
Retrieve scheduled query rule definitions in a subscription.
61
62
Returns:
63
ItemPaged[ScheduledQueryRuleResource] - List of scheduled query rules
64
"""
65
66
def list_by_resource_group(resource_group_name: str, **kwargs: Any) -> ItemPaged[ScheduledQueryRuleResource]:
67
"""
68
Retrieve scheduled query rule definitions in a resource group.
69
70
Parameters:
71
- resource_group_name: str - Name of the resource group
72
73
Returns:
74
ItemPaged[ScheduledQueryRuleResource] - List of scheduled query rules
75
"""
76
```
77
78
### Log Profiles (Deprecated)
79
80
Manage log profiles for exporting activity logs to storage accounts or event hubs.
81
82
```python { .api }
83
def create_or_update(log_profile_name: str, parameters: LogProfileResource, **kwargs: Any) -> LogProfileResource:
84
"""
85
Create or update a log profile.
86
87
Parameters:
88
- log_profile_name: str - Name of the log profile
89
- parameters: LogProfileResource - Log profile configuration
90
91
Returns:
92
LogProfileResource - The created or updated log profile
93
"""
94
95
def get(log_profile_name: str, **kwargs: Any) -> LogProfileResource:
96
"""
97
Gets the log profile.
98
99
Parameters:
100
- log_profile_name: str - Name of the log profile
101
102
Returns:
103
LogProfileResource - The log profile details
104
"""
105
106
def delete(log_profile_name: str, **kwargs: Any) -> None:
107
"""
108
Deletes the log profile.
109
110
Parameters:
111
- log_profile_name: str - Name of the log profile
112
"""
113
114
def list(**kwargs: Any) -> ItemPaged[LogProfileResource]:
115
"""
116
List the log profiles.
117
118
Returns:
119
ItemPaged[LogProfileResource] - List of log profiles
120
"""
121
```
122
123
## Usage Examples
124
125
### Creating a Log-Based Alert Rule
126
127
```python
128
from azure.mgmt.monitor.models import (
129
ScheduledQueryRuleResource, ScheduledQueryRuleCriteria,
130
Condition, ConditionFailingPeriods, Actions
131
)
132
133
# Define KQL query and condition
134
condition = Condition(
135
query="Heartbeat | summarize AggregatedValue = count() by Computer | where AggregatedValue < 1",
136
time_aggregation="Count",
137
metric_measure_column="AggregatedValue",
138
operator="LessThan",
139
threshold=1.0,
140
failing_periods=ConditionFailingPeriods(
141
number_of_evaluation_periods=2,
142
min_failing_periods_to_alert=2
143
)
144
)
145
146
# Define criteria
147
criteria = ScheduledQueryRuleCriteria(
148
all_of=[condition]
149
)
150
151
# Define actions
152
actions = Actions(
153
action_groups=[
154
f"/subscriptions/{subscription_id}/resourceGroups/monitoring-rg/providers/Microsoft.Insights/actionGroups/admin-alerts"
155
]
156
)
157
158
# Create scheduled query rule
159
query_rule = ScheduledQueryRuleResource(
160
location="East US",
161
description="Alert when computers stop sending heartbeats",
162
enabled=True,
163
scopes=[
164
f"/subscriptions/{subscription_id}/resourceGroups/monitoring-rg/providers/Microsoft.OperationalInsights/workspaces/central-workspace"
165
],
166
evaluation_frequency="PT5M", # Run every 5 minutes
167
window_size="PT15M", # Look at last 15 minutes
168
criteria=criteria,
169
actions=actions,
170
severity=1, # Error severity
171
auto_mitigate=True
172
)
173
174
result = client.scheduled_query_rules.create_or_update(
175
resource_group_name="monitoring-rg",
176
rule_name="missing-heartbeat-alert",
177
parameters=query_rule
178
)
179
```
180
181
### Application Performance Alert
182
183
```python
184
# Alert on high application response times
185
app_performance_condition = Condition(
186
query="""
187
AppRequests
188
| where TimeGenerated > ago(5m)
189
| summarize AverageResponseTime = avg(DurationMs) by bin(TimeGenerated, 1m)
190
| where AverageResponseTime > 2000
191
""",
192
time_aggregation="Average",
193
metric_measure_column="AverageResponseTime",
194
operator="GreaterThan",
195
threshold=2000.0,
196
failing_periods=ConditionFailingPeriods(
197
number_of_evaluation_periods=3,
198
min_failing_periods_to_alert=2
199
)
200
)
201
202
app_perf_rule = ScheduledQueryRuleResource(
203
location="East US",
204
description="Alert when application response time exceeds 2 seconds",
205
enabled=True,
206
scopes=[workspace_id],
207
evaluation_frequency="PT1M",
208
window_size="PT5M",
209
criteria=ScheduledQueryRuleCriteria(all_of=[app_performance_condition]),
210
actions=actions,
211
severity=2
212
)
213
```
214
215
### Custom Log Analysis Alert
216
217
```python
218
# Alert based on custom application logs
219
custom_log_condition = Condition(
220
query="""
221
CustomApp_CL
222
| where TimeGenerated > ago(10m)
223
| where Status_s == "ERROR"
224
| summarize ErrorCount = count() by bin(TimeGenerated, 1m)
225
| where ErrorCount > 5
226
""",
227
time_aggregation="Total",
228
metric_measure_column="ErrorCount",
229
operator="GreaterThan",
230
threshold=5.0,
231
failing_periods=ConditionFailingPeriods(
232
number_of_evaluation_periods=1,
233
min_failing_periods_to_alert=1
234
)
235
)
236
237
custom_log_rule = ScheduledQueryRuleResource(
238
location="East US",
239
description="Alert on high error rate in custom application logs",
240
enabled=True,
241
scopes=[workspace_id],
242
evaluation_frequency="PT5M",
243
window_size="PT10M",
244
criteria=ScheduledQueryRuleCriteria(all_of=[custom_log_condition]),
245
actions=actions,
246
severity=1
247
)
248
```
249
250
### Creating a Log Profile (Deprecated)
251
252
```python
253
from azure.mgmt.monitor.models import LogProfileResource, RetentionPolicy
254
255
# Create log profile for activity log export
256
log_profile = LogProfileResource(
257
location="global",
258
locations=["East US", "West US"], # Regions to collect from
259
categories=["Write", "Delete", "Action"], # Activity log categories
260
retention_policy=RetentionPolicy(
261
enabled=True,
262
days=90 # Retain for 90 days
263
),
264
storage_account_id=f"/subscriptions/{subscription_id}/resourceGroups/storage-rg/providers/Microsoft.Storage/storageAccounts/activitylogs",
265
service_bus_rule_id=f"/subscriptions/{subscription_id}/resourceGroups/messaging-rg/providers/Microsoft.ServiceBus/namespaces/logs-namespace/authorizationrules/RootManageSharedAccessKey"
266
)
267
268
profile_result = client.log_profiles.create_or_update(
269
log_profile_name="default-log-profile",
270
parameters=log_profile
271
)
272
```
273
274
## Types
275
276
```python { .api }
277
class ScheduledQueryRuleResource:
278
"""Scheduled query rule resource."""
279
location: str # Resource location
280
description: Optional[str] # Rule description
281
enabled: bool # Whether rule is enabled
282
scopes: List[str] # Log Analytics workspace scopes
283
evaluation_frequency: str # Query evaluation frequency (ISO 8601)
284
window_size: str # Query time window (ISO 8601)
285
override_query_time_range: Optional[str] # Override time range
286
target_resource_types: Optional[List[str]] # Target resource types
287
criteria: ScheduledQueryRuleCriteria # Query criteria
288
mute_actions_duration: Optional[str] # Mute actions duration
289
actions: Optional[Actions] # Actions to execute
290
is_workspace_alerts_storage_configured: Optional[bool] # Workspace alerts storage
291
check_workspace_alerts_storage_configured: Optional[bool] # Check storage
292
skip_query_validation: Optional[bool] # Skip query validation
293
auto_mitigate: Optional[bool] # Auto-resolve alerts
294
display_name: Optional[str] # Display name
295
severity: Optional[int] # Alert severity (0-4)
296
created_with_api_version: Optional[str] # Creation API version
297
is_legacy_log_analytics_rule: Optional[bool] # Legacy rule indicator
298
299
class ScheduledQueryRuleCriteria:
300
"""Scheduled query rule criteria."""
301
all_of: List[Condition] # All conditions must be met (AND logic)
302
303
class Condition:
304
"""Query rule condition."""
305
query: str # KQL query to execute
306
time_aggregation: TimeAggregationType # Time aggregation method
307
metric_measure_column: Optional[str] # Column to measure
308
resource_id_column: Optional[str] # Resource ID column
309
operator: ConditionOperator # Comparison operator
310
threshold: float # Threshold value
311
failing_periods: ConditionFailingPeriods # Failing period configuration
312
metric_name: Optional[str] # Metric name for multi-dimensional alerts
313
314
class ConditionFailingPeriods:
315
"""Failing periods configuration."""
316
number_of_evaluation_periods: int # Number of evaluation periods
317
min_failing_periods_to_alert: int # Minimum failing periods to alert
318
319
class Actions:
320
"""Actions to execute when alert fires."""
321
action_groups: Optional[List[str]] # Action group resource IDs
322
custom_properties: Optional[Dict[str, str]] # Custom properties
323
324
class LogProfileResource:
325
"""Log profile resource (deprecated)."""
326
location: str # Resource location
327
locations: List[str] # Locations to collect from
328
categories: List[str] # Activity log categories
329
retention_policy: RetentionPolicy # Retention policy
330
storage_account_id: Optional[str] # Storage account ID
331
service_bus_rule_id: Optional[str] # Service Bus authorization rule ID
332
333
class RetentionPolicy:
334
"""Retention policy configuration."""
335
enabled: bool # Whether retention is enabled
336
days: int # Number of days to retain
337
338
TimeAggregationType = Union["Count", "Average", "Minimum", "Maximum", "Total"]
339
ConditionOperator = Union["Equals", "GreaterThan", "GreaterThanOrEqual", "LessThan", "LessThanOrEqual"]
340
```