Azure Monitor Event Log Workbook

Every Windows admin knows “check the logs” right? RIGHT? No one actually likes looking at each servers individual Event Log. At least I never did, even remotely its difficult, and switching context between log sources is a pain as well. Well Log Analytics can collect those event logs. And because Log Analytics can collect those logs that means we can do all kinds of fun stuff with them. In this instance I’ve built a Workbook in Azure Monitor to search any Event Log from any computer with any event level. All in one place. This will work with any Windows server that you have the Log Analytics agent installed on. Whether those servers are in Azure, on-prem or another cloud. No, you don’t need to use Azure ARC either.

Choose your Event Logs

In Log Analytics under Advanced Settings -> Data -> Windows Event Logs you can choose your Event Logs. Azure Monitor Event Log Workbook

 

Parameters

This Workbook is entirely parameter based. This makes the workbook completely dynamic.  I went over many of the types of parameters you can make in my Azure Advent Calendar video. One I didn’t show was that you can create parameters directly from Log Analytics data.

The first parameters, Subscriptions, TimeRange, Workspace are used in all the parameters and widgets.

Azure Monitor Event Log Workbook

The next set of parameters are all for controlling what data is visualized from your event logs. These are also entirely dynamic. For instance if only one Source type is collected that’s the only Event Source that will be visible in the parameter. Additionally Event Source is used in the Event Log parameter.

 

First we can set our Computer to Any, All, or select one machine. If you select one machine to use, the available Event Logs will be limited to that one computers logs.

Azure Monitor Event Log Workbook

For our Event Source you can see the Computer is a parameter in the query itself.

Azure Monitor Event Log Workbook

 

Next we have EventLog, which as you can see from the query, relies on EventSource. So EventSource needs to be set before you can set EventLog.

Azure Monitor Event Log Workbook

Similarly, EventLevelName relies on EventLog, this will get all Event Levels in the event logs.

Azure Monitor Event Log Workbook

 

 

 

The Event Log Workbook

After our Parameters we have some dynamic text and tiles. Depending on what event level and event logs you select the text will change to show the event level you selected and the total count of event logs you’ve selected.

 

After that we have tiles sorted by Event Level type, with color coding thresholds, counts and a trend line.

Azure Monitor Event Log Workbook

The next widget is a grid view grouped by Event Log, with counts for servers and a trend line per server.

 

Azure Monitor Event Log Workbook

You can expand and collapse the event log types.

Azure Monitor Event Log Workbook

Finally we have a view of the logs by time generated.

Azure Monitor Event Log Workbook

You can click on “View Details” to open the side blade and see all fields available for that specific log.

Azure Monitor Event Log Workbook

Github repo with the templates. https://github.com/scautomation/Event-Log-Workbook

Azure Monitor Event Log Workbook  in Action

Leave a Comment