azure log analytics

Creating Custom Azure Log Analytics Logs

by

Azure Log Analytics has the ability to monitor a lot of technologies via the many solutions you can add to the service. However, what if you want to log something that isn’t available as a solution? Azure Log Analytics includes a REST API that you can post logs to. Using the the REST API will create custom Azure Log Analytics logs. When you create a custom log, Log Analytics will append it with _CL.

Multiple Ways to Post to the REST API

First you’ll need your Azure Log Analytics Workspace ID and Primary key. Once you have those you can use them with any language you know that can access a REST API.

These examples provided by Microsoft have Powershell, C#, and Python code that can post to Azure Log Analytics.

I have copied the Powershell example below.

# Create the function to create the authorization signature
Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
{
$xHeaders = "x-ms-date:" + $date
$stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource

$bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
$keyBytes = [Convert]::FromBase64String($sharedKey)

$sha256 = New-Object System.Security.Cryptography.HMACSHA256
$sha256.Key = $keyBytes
$calculatedHash = $sha256.ComputeHash($bytesToHash)
$encodedHash = [Convert]::ToBase64String($calculatedHash)
$authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
return $authorization
}

# Create the function to create and post the request
Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
{
$method = "POST"
$contentType = "application/json"
$resource = "/api/logs"
$rfc1123date = [DateTime]::UtcNow.ToString("r")
$contentLength = $body.Length
$signature = Build-Signature `
-customerId $customerId `
-sharedKey $sharedKey `
-date $rfc1123date `
-contentLength $contentLength `
-fileName $fileName `
-method $method `
-contentType $contentType `
-resource $resource
$uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"

$headers = @{
"Authorization" = $signature;
"Log-Type" = $logType;
"x-ms-date" = $rfc1123date;
"time-generated-field" = $TimeStampField;
}

$response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
return $response.StatusCode

}

# Submit the data to the API endpoint
Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($weather)) -logType $logType

You’ll also need this bit of code as well. This is also where you enter your Workspace ID and Shared Key.

# Replace with your Workspace ID
$CustomerId = "workspace ID"</pre>
# Replace with your Primary Key
$SharedKey = "primary key"

# Specify the name of the record type that you'll be creating
$LogType = "log name"

# Specify a field with the created time for the records
$TimeStampField = get-date
$TimeStampField = $TimeStampField.GetDateTimeFormats(115)
There is one additional way in Powershell to post to the API. There is the OMSIngestionAPI located on PS Gallery.
You can install it from Powershell 5.0 with the following command.
Install-Module -Name OMSIngestionAPI
You’ll still need the Workspace ID and Shared Key, but running a single cmdlet is a little more graceful than copying that function to every script you want to use to post to Azure Log Analytics.
Send-OMSAPIIngestionFile -customerId $customerId -sharedKey $SharedKey -body $json -logType $LogType -TimeStampField $TimeStampField

And here is how you can search for your new custom log.

Where “Current_Conditions_CL” is our custom log, this simple query will return all uploaded logs. Note, in my experience, it takes about 30 minutes before the logs start to show up upon initial creation. After that they are there within minutes.

 

query custom azure log analytics log

There are multiple ways to send custom Azure Log Analytics logs, what kind of logs will you create?