Log Analytics and KQL Fundamentals
Ingest diagnostic logs into a Log Analytics workspace and write Kusto Query Language queries to filter, aggregate, and visualise operational data.
What Is a Log Analytics Workspace?
A Log Analytics workspace is the central data store in Azure Monitor for log and telemetry data. When you configure diagnostic settings on an Azure resource, the structured logs and metrics flow into the workspace. You can then query the data using the Kusto Query Language (KQL). A workspace has its own retention policy (default 30 days, up to 730 days) and access controls.
# Create a Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group myRG \
--workspace-name myWorkspace \
--location eastus \
--retention-time 90Sending Diagnostic Logs to a Workspace
Every Azure resource can emit diagnostic logs — detailed records of operations such as API calls, authentication events, and query execution. You enable them through Diagnostic Settings on the resource, specifying the destination as your Log Analytics workspace. Common log categories include AuditEvent for Key Vault, AppServiceHTTPLogs for App Service, and NetworkSecurityGroupFlowEvent for NSGs.
# Enable diagnostic settings to send Key Vault logs to Log Analytics
az monitor diagnostic-settings create \
--name 'KVLogs' \
--resource /subscriptions/<sub>/resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKV \
--workspace myWorkspace \
--logs '[{"category":"AuditEvent","enabled":true}]'All lessons in this course
- Azure Monitor Metrics and Alerts
- Log Analytics and KQL Fundamentals
- Application Insights
- Azure Dashboards and Workbooks