Azure Monitoring Setup Guide
Steps Overview
- Create a Virtual Machine (VM).
- Enable Azure Monitor Agent (AMA).
- Create a Log Analytics Workspace (LAW).
- Assign roles:
- Log Analytics Contributor
- Monitoring Contributor
- Assign roles:
- Create a Data Collection Rule (DCR).
- Query logs using KQL.
Install Azure CLI and AMA Agent
# Install Azure CLI using Chocolatey
choco install azurecli -y
# Install AMA agent on VM
az vm extension set \
--name AzureMonitorLinuxAgent \
--resource-group monitoring \
--publisher Microsoft.Azure.Monitor \
--version 1.28 \
--settings '{}' \
--vm-name azure-vm
# Verify installation
az vm extension show \
-g monitoring \
--vm-name azure-vm \
-n AzureMonitorLinuxAgent
Create Log Analytics Workspace
az monitor log-analytics workspace create \
-g monitoring \
-n azure-vm-workspace
LAW_ID=$(az monitor log-analytics workspace show \
--resource-group monitoring \
--workspace-name azure-vm-workspace \
--query id -o tsv)
echo "LAW ID: $LAW_ID"
Create a Data Collection Rule (DCR)
A Data Collection Rule defines what logs to collect and where to send them.Here we collect all Syslog entries and send them to the Log Analytics Workspace.
az monitor data-collection rule create \
--resource-group monitoring \
--name "dcr-syslog-demo" \
--location eastus2 \
--data-flows '[{
"streams": ["Microsoft-Syslog"],
"destinations": ["law-dest"]
}]' \
--destinations '{
"logAnalytics": [{
"workspaceResourceId": "'"$LAW_ID"'",
"name": "law-dest"
}]
}' \
--data-sources '{
"syslog": [{
"name": "syslog-source",
"streams": ["Microsoft-Syslog"],
"facilityNames": ["*"],
"logLevels": ["Debug","Info","Notice","Warning","Error","Critical","Alert","Emergency"]
}]
}'
# Save the DCR resource ID:
DCR_ID=$(az monitor data-collection rule show \
--resource-group monitoring \
--name "dcr-syslog-demo" \
--query id -o tsv)
echo "DCR ID: $DCR_ID"
Associate the DCR with Your VM
az rest \
--method PUT \
--url "https://management.azure.com/subscriptions/$SUB_ID/resourceGroups/monitoring/providers/Microsoft.Compute/virtualMachines/$VM_NAME/providers/Microsoft.Insights/dataCollectionRuleAssociations/dcra-vm-demo?api-version=2022-06-01" \
--body '{
"properties": {
"dataCollectionRuleId": "'"$DCR_ID"'"
}
}'
Verify the association:
az rest \
--method GET \
--url "https://management.azure.com/subscriptions/$SUB_ID/resourceGroups/monitoring/providers/Microsoft.Compute/virtualMachines/$VM_NAME/providers/Microsoft.Insights/dataCollectionRuleAssociations?api-version=2022-06-01" \
--query "value[].properties.provisioningState"
Expected output: [“Succeeded”].
Assign Permissions to the VM
- The VM’s managed identity needs permission to write data into the Log Analytics Workspace.
Get the VM’s managed identity
VM_PRINCIPAL=$(az vm show \
--resource-group monitoring \
--name $VM_NAME \
--query identity.principalId -o tsv)
# Assign Monitoring Contributor
az role assignment create \
--assignee $VM_PRINCIPAL \
--role "Monitoring Contributor" \
--scope $LAW_ID
# Assign Log Analytics Contributor
az role assignment create \
--assignee $VM_PRINCIPAL \
--role "Log Analytics Contributor" \
--scope $LAW_ID
## Wait 2–3 minutes after assigning roles.
Generate Sample Logs
for i in $(seq 1 50); do
logger -t "DummyApp" -p user.info "INFO - Application started, request #$i processed"
logger -t "DummyApp" -p user.warning "WARN - High memory usage detected, instance #$i"
logger -t "DummyApp" -p user.err "ERROR - Connection timeout on request #$i"
sleep 1
done
Query Logs with KQL
Heartbeat
| where TimeGenerated > ago(5m)
| project TimeGenerated, Computer, OSType, Version
| order by TimeGenerated desc
Syslog
| where TimeGenerated > ago(30m)
| where ProcessName == "DummyApp"
| project TimeGenerated, SeverityLevel, SyslogMessage
| order by TimeGenerated desc
