Sending and Querying Custom Log Data to Azure Monitor Logs

Recently for a customer engagement we had the requirement to take log data from a 3rd party application and ingest it into Azure Log Analytics to make the data available in Azure Monitor. Sending Custom Log Data to Azure Monitor Logs is currently in Public Preview. This Microsoft article provides an overview of the capability.

In addition to the standard tiers of an application, you may need to monitor other resources that have telemetry that can’t be collected with the other data sources. For these resources, write this data to either Metrics or Logs using an Azure Monitor API.

The Microsoft documentation includes a PowerShell script that allows ingestion of Custom Log Data to Azure Monitor Logs. However as part of the integration I also needed a quick way to query the Azure Monitor Logs to find the last records that were ingested to know what new events needed to be sent. This post details how I used PowerShell to query our Custom Log Data and do it from Azure PaaS Services (PowerShell Azure Functions).

Configuration

There are a couple of pieces of information that are required for a script to be able to query Custom Log Data. We require;

  • Azure Tenant ID
  • Log Analytics Workspace ID
  • Azure AD Client App ID
  • Azure AD Client Secret
  • Custom Log Name

Azure Tenant ID

Your Azure Tenant ID is available via the Azure Portal

Azure AD Enterprise Application

Using the Azure Portal register an Azure AD Enterprise Application and grant it Administrator delegated Read Log Analytics API permissions as shown below.

Custom Log Data to Azure AD Enterprise App Log Analytics API Permissions

Log Analytics Workspace ID

The Log Analytics Workspace ID can be located in the Overview section of the Log Analytics Workspace you want to query.

Custom Log Data to Azure Monitor Log Analytics Workspace

The Query Script

Using the artifacts above we can query and return data from Azure Monitor Logs using PowerShell.

Using the artifacts gathered above along with the Custom Log that you generated on the first ingesting of data to Log Analytics we can update;

  • Line 1 with our Tenant ID
  • Line 2 with the AAD App ID
  • Line 3 with the AAD App Secret
  • Line 4 with our Log Analytics Workspace ID
  • Line 5 with our Custom Log Name

The script will then connect and as configured on Line 16 return the last two rows as sorted by the TimeGenerated column. You will likely need to change this to a column of the criteria that you need to obtain the latest records. Or a different KQL Query to get the data you require.

Notes on Ingesting Custom Log Data to Azure Monitor Logs

Through the ingestion of data into Azure Monitor Logs here are a few notes and observations that I made.

Note: After sending logs to Azure Monitor Logs it can take 15 minutes for them to show up in the query explorer when you are adding a NEW "Log Type". In my experience I have seen instances where the LogType (the name you give your Custom Log) appears and the data takes up to 15 minutes to ingest. I've also seen where the LogType doesn't show up for a new LogType until the data has been ingested/processed by Azure Monitor.  As long as you get a 200 OK response from the RestAPI when sending log data to the Azure Monitor Logs service, just be patient. 
When adding additional log data to an EXISTING Log Type in my experience it takes up to 4 minutes for the new data to appear in the query results. 
Keep in mind though the more data you send to ingest the longer it will take. Also adhere to the data limits detailed in the API Reference. I have seen it take almost an hour to show a new Custom Log Type and the associated data to show up. 
  • Maximum of 30 MB per post to Azure Monitor Data Collector API. This is a size limit for a single post. If the data from a single post that exceeds 30 MB, you should split the data up to smaller sized chunks and send them concurrently.
  • Maximum of 32 KB limit for field values. If the field value is greater than 32 KB, the data will be truncated.
  • Recommended maximum number of fields for a given type is 50. This is a practical limit from a usability and search experience perspective.
  • A table in a Log Analytics workspace only supports up to 500 columns
  • The maximum number of characters for the column name is 500.

Deleting Data from a Azure Monitor Custom Log

If you need to remove data from an Azure Monitor Custom Log, this document here details the necessary steps required. As noted in that link there are special permissions that need to be assigned in order to purge the data.

Summary

Using PowerShell we can ingest Custom Log Data to Azure Monitor Logs and query data contained within our Custom Logs.