You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
While metrics tell you what is happening (CPU is high, error rate spiked), logs tell you why (the specific error message, the user who triggered it, the request that failed). Azure Monitor Logs is the platform for collecting, storing, and querying log data, and Log Analytics is the query engine that makes it actionable.
Azure Monitor Logs stores structured and semi-structured event data in a Log Analytics workspace. This data comes from:
| Aspect | Metrics | Logs |
|---|---|---|
| Data type | Numerical time-series | Structured event records |
| Volume | Low (one value per interval) | High (one record per event) |
| Cost | Free for platform metrics | Charged per GB ingested |
| Latency | Near real-time (< 1 minute) | Near real-time (seconds to minutes) |
| Retention | 93 days (standard) | Configurable (30 days to 12 years) |
| Query language | Metric filters and aggregations | Kusto Query Language (KQL) |
| Best for | Alerting, dashboards, trend analysis | Investigation, root cause analysis, compliance |
Both are complementary — use metrics for the first alert, and logs to investigate the cause.
A Log Analytics workspace is the central repository for log data. It determines:
| Setting | Description |
|---|---|
| Region | Where log data is stored (affects latency and compliance) |
| Retention | How long data is kept (30 days free, up to 12 years) |
| Pricing tier | Pay-as-you-go or commitment tier (100 GB/day to 5000 GB/day) |
| Access control | Who can query the data (workspace-level or resource-level RBAC) |
| Strategy | Description | Best For |
|---|---|---|
| Centralised | One workspace for all resources | Small to medium environments, simplified management |
| Distributed | Separate workspaces by team, environment, or region | Large enterprises, data sovereignty requirements |
| Hybrid | Central workspace with satellite workspaces for specific needs | Most organisations |
az monitor log-analytics workspace create \
--resource-group rg-monitoring \
--workspace-name law-production \
--location uksouth \
--retention-time 90 \
--sku PerGB2018
KQL is the query language used in Log Analytics. It is designed for exploring large datasets quickly and is used across Azure Monitor, Microsoft Sentinel, and Azure Data Explorer.
// Get the 10 most recent errors from the AppExceptions table
AppExceptions
| where TimeGenerated > ago(24h)
| where SeverityLevel == 3
| project TimeGenerated, ProblemId, OuterMessage, AppRoleInstance
| order by TimeGenerated desc
| take 10
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.