Verifying Logs in Log Analytics Workspace
Overview:
The following section goes over how to validate logs are being pushed to Azure Monitor.
I have noticed delays in logging to start in the LAW with VNET and NSG related logs. It may take a while, a few hours, in order for this to start logging.
1. Verify the logs on the list below you can search for the names as show in the snapshot.
Event (Sysmon and AMA Windows Audit Logs created from DCR)
AzureActivityLogs - Audit Logs with Azure
AzureNetworkAnalytics_CL - Custom Table from NSG Flow Logs
AzureNetworkAnalyticsIPDetails_CL - Custom Table with IP Insights for NSGs
SignInLogs - Sign Ins for Azure
StorageBlobLogs - Storage Account Blob Logs
AzureDiagnostics - Key Vault and other resources
Perf - AMA Performance Logs for VM
NTANetAnalytics - VNET Flow Logs
NTAIpDetails - IP Details from VNet Flow Logs
DNSQueryLogs - DNS Query Logs
2. Use the following searches for each log type to confirm if logs are logging.
If the tables are not populating it is most likely due to logs not being generated.
Last updated