Come join our live training webinar every other Wednesday at 11am PST and hear LogicMonitor experts explain best practices and answer common questions. We understand these are uncertain times, and we are here to help!
The Microsoft Azure integration for LM Logs is implemented as an Azure function that consumes logs from an Event Hub and forwards the logs to the LogicMonitor logs ingestion API.
We provide Microsoft Templates for you to configure and deploy the Azure Function, create a managed identity to access the Azure resources and logs, and forward the logs to LogicMonitor.
Click the button below to open the Microsoft template that will deploy the Azure function and create the Event Hub.
When deploying, you will need to provide the following details in the template:
az account list-locations -o table
Enable Activity Logs
If the deployment is successful and you Enabled Activity Logs in your configuration, you should start seeing the forwarded logs appear in the LM Logs page. These logs will be mapped to the Azure Cloud Account you created in your LogicMonitor portal.
If you didn’t enable activity logs, then you will need to configure logs to forward to the Event Hub. We’ve provided a template for this process as well. See Forwarding Azure logs to the Event Hub.
Note: This is only required if you are forwarding logs with the template provided. Without the managed identity, you can still manually configure Azure resources to forward their logs to the Event Hub.
Click the button below to open the Microsoft Template which will create the Managed Identity with the User Administrator role.
When creating the managed identity, you will need to provide the following details in the template:
Click the button below to open the Microsoft Template where you can configure log forwarding to the Event Hub. This template forwards the diagnostic settings of selected resources.
When configuring logs forwarding, you will need to provide the following details in the template:
Force Update Tag
Note: While this deployment is running, you can view the deployment logs in the script that gets created in the resource group, for example “lm-logs-<LM-Company-name>-<region-group>”.
Once the Azure Function is deployed, it listens for logs from the Event Hub. If the Event Hub isn’t receiving any logs, you will need to configure your resources and resource groups to send their logs to the Event Hub. For most Azure resources, this can be done by creating diagnostic settings.
To forward system and application logs from virtual machines you will need to install and configure diagnostic extensions on the virtual machines. See the following instructions for Linux and Windows VM configurations.
Note: These steps are not necessary if you are already using an LM Collector to ingest logs from the VM.
To configure Linux VMs to forward their system and application logs:
1. Install a diagnostic extension on the VM.
2. Install the Azure CLI
3. Sign in to Azure using the Azure CLI: az login
4. Download the configuration script:
5. Run the script to create the storage account and configuration files needed by the diagnostic extension:
./configure-lad.sh <LM company name>
6. Update lad_public_settings.json to configure types of system logs and their levels (syslogEvents) and application logs (filelogs) to collect.
7. Run the following command to configure the extension:
az vm extension set --publisher Microsoft.Azure.Diagnostics --name LinuxDiagnostic --version 3.0 --resource-group <your VM's Resource Group name> --vm-name <your VM name> --protected-settings lad_protected_settings.json --settings lad_public_settings.json
(The exact command will be printed by the configure-lad.sh script.)
To configure Windows VMs to forward their system and application logs:
2. Install the Azure CLI using PowerShell:
Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
4. Download the configuration script with the following command:
Invoke-WebRequest -Uri https://raw.githubusercontent.com/logicmonitor/lm-logs-azure/master/vm-config/configure-wad.ps1 -OutFile .\configure-wad.ps1
5. Run the configuration script to create the storage account needed by the extension and the configuration files:
.\configure-wad.ps1 -lm_company_name <LM company name>
6. Update wad_public_settings.json to configure types of event logs (Application, System, Setup, Security, and so on) and their levels (Info, Warning, Critical) to collect.
az vm extension set --publisher Microsoft.Azure.Diagnostics --name IaaSDiagnostics --version 1.18 --resource-group <your VM's Resource Group name> --vm-name <your VM name> --protected-settings wad_protected_settings.json --settings wad_public_settings.json
(The exact command was printed by the configure-wad.ps1 script.)
Follow the steps below to troubleshoot issues with your Azure logs integration.
1. Confirm that the install process provisioned all the required resources: an Event Hub, a resource group, a storage account, and an Azure Function.
2. Confirm that logs are being sent to the Event Hub.
Navigate to your Event Hub in the Azure portal and check that the incoming messages count is greater than 0.
You can also check this for specific agents or applications by looking in their Azure Logs folder. For example, if you are running a Windows VM with a IaaSDiagnostics extension, its logs will be in the following Azure Logs directory (with version and wadid specified):
3. Confirm that the Azure Function is running and forwarding logs to LogicMonitor. See Enable debug logging.
If the function app is running and receiving logs, but you are not seeing the logs in LogicMonitor, confirm that the LM_Access_Key or LM_Access_Id provided is correct.
If the function app is not being executed, but logs are sent to the Event Hub, try to run the Azure function locally and check if it receives any log messages:
4. You can use PowerShell to send a test event from the log-enabled VM. On the configured device, enter the PowerShell prompt and run the following command:
eventcreate /Id 500 /D "test error event for windows 222222" /T ERROR /L Application
After the command runs, you will see the event show up in the LM Logs page.
For logs forwarded from Microsoft Azure, you can enable Application Insights in the Function App to check whether it is receiving logs. Refer to Microsoft’s documentation about Streaming Logs.
You can configure the application logging type and level using Azure CLI webapp log config command, for example:
az webapp log config --resource-group <Azure Function's Resource Group name> --name <Azure Function name> --application-logging true --level verbose --detailed-error-messages true
After configuring application logging, you can review the logs using Azure CLI webapp log tail:
az webapp log tail --resource-group <Azure Function's Resource Group name> --name <Azure Function name>
The Azure templates you ran to set up log ingestion create several resources, including the Event Hub, which sends the logs data to LM Logs.
To remove the LM Logs integration and stop the flow of data and any associated costs, follow these steps:
1. In your Azure portal, navigate to the monitored VM > Activity log > Diagnostic settings > Edit setting (for the Logs Event Hub) and click Delete.
2. Delete the Event Hub which has the name and region name that you created during setup. This will now cut off the logs flow from Azure to LM Logs.
3. (Optional) You can remove all other resources, such as the Function App, Managed Identity, App Insight, and Storage account. The names of these will following the Event Hub naming convention from the template. You can remove each item individually, or if they are in a resource group you can remove the entire group.
Note: Before removing the resource group, insure that you have not added other non-LM Logs items into the group.
In This Article