LogAnalytics Workspaces can be used for many reasons.
- Run typical Operations Management for your Infrastructure Services
- Log-Consolidation engine for an Azure Automation Account
- Log Collector for Microsoft foreign Logs (Syslog, other custom Logs
This blogpost will demonstrate how easy it is to create a Log Analytics Workspace.
Step 1 – Logon to Azure with PowerShell
|
1 2 3 4 5 6 |
# Login to your Azure Subscription, i.e. $azlogin = Import-AzureRmContext "yourcontext.json" # PS: To get a context login interactively and "Save-AzureRmContext -Path yourcontext.json "" $azlogin.context.Subscription.id $azlogin.Context.Tenant.Id |
PS: This doesnt work with non-Domain Account (aka Microsoft Accounts)
Step 2 – Define Names and Resource Groups and create the Workspace
If you look at the script below, i have set the location to „westeurope“, you may want to change that to a location of your Azure Service, i.e. „westus“. If you want to use another SKU than free, the other options are:
- PerNode
- Premium
- Standalone
- Standard
- Unlimited
|
1 2 3 4 5 6 7 8 9 10 11 |
#Define Names and Variables $RG = 'datacenterautomation' $WS = 'yourworkspace' $Loc = 'westeurope' $SKU = 'free' #Create resource group New-AzureRmResourceGroup -Name $RG -Location $Loc # Create Log Analytics Workspaces New-AzureRmOperationalInsightsWorkspace -ResourceGroupName $RG -Name $WS -Location $Loc -Sku $sku |
So now we have an empty Log Analytics Workspace, which can retrieve Logs from Agents. But whats missing are LogAnalytics Solutions, which we will add in the next step
Step 3 – Add Solutions and activate Performance Counters
If you want to manage Windows and Linux Servers later with this Log Analytics Workspace, you will want to see performance data as well. This can be achieved with the script below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
New-AzureRmOperationalInsightsWindowsEventDataSource -ResourceGroupName $RG -WorkspaceName $WS -Name System -EventLogName System -CollectErrors -CollectInformation -CollectWarning $Performancecounters = [ordered]@{ LogicalDiskFS = "LogicalDisk-'% Free Space'"; LogicalDiskADsR = "LogicalDisk-'Avg. Disk sec/Read'"; LogicalDiskADsW = "LogicalDisk-'Avg. Disk sec/Write'"; LogicalDiskCDQL = "LogicalDisk-'Current Disk Queue Length'"; LogicalDiskDRs = "LogicalDisk-'Disk Reads/sec'"; LogicalDiskDTs = "LogicalDisk-'Disk Transfers/sec'"; LogicalDiskDWt = "LogicalDisk-'Disk Writes/sec'"; LogicalDiskDFreeMB = "LogicalDisk-'Free Megabytes'"; MemoryCBiU = "Memory-'% Committed Bytes In Use'"; MemoryAbytes = "Memory-'Available MBytes'"; NetworkAdapterBR = "'Network Adapter'-'Bytes Received/sec'"; NetworkAdapterBs = "'Network Adapter'-'Bytes Sent/sec'"; NetworkInterfaceBTs = "'Network Interface'-'Bytes Total/sec'"; ProcessorPT = "'Processor'-'% Processor Time'"; SystemPWL = "'System'-'Processor Queue Length'"; } $Performancecounters.Keys |foreach-object { $Name = $_ $ObjectName = $Performancecounters[$_].split('-')[0] $CounterName = $Performancecounters[$_].split('-')[1] New-AzureRmOperationalInsightsWindowsPerformanceCounterDataSource ` -ResourceGroupName $RG -WorkspaceName $WS ` -Name $Name -Objectname $objectName -CounterName $Countername } |
Step 4 – Activate Solutions
The real fun with LogAnalytics starts with Solutions. They analyze data and form it to useful information. The script below shows some samples, which you can extend to your needs.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# Add Solutions as needed (to get some type "Get-AzureRmOperationalInsightsIntelligencePacks -ResourceGroupName $RG -WorkspaceName $ws") $solutions = 'ServiceMap','WireData2','ChangeTracking' foreach ($solution in $solutions) {Set-AzureRmOperationalInsightsIntelligencePack ` -ResourceGroupName $RG ` -WorkspaceName $WS ` -IntelligencePackName $solution ` -Enabled $true} # See which ones are still deactivated. Get-AzureRmOperationalInsightsIntelligencePacks -ResourceGroupName $RG -WorkspaceName $ws |where-object enabled -like 'false' |
So now that we have our Loganalytics Workspace setup, it will also appear in the Azure Portal, and you can start managing it.
With best regards/Roman