Log Query Alert
Azure 서비스의 로그를 수집하고 있는 경우, 대상 로그에 관해 사용자 지정 쿼리를 이용하여 알람 규칙을 만드는 것이 가능하다.
예를 들어서, Virtual machine 의 로그를 수집하고 있다면 디스크의 빈 용량을 확인하는 쿼리를 사용하여 해당 값을 주기적으로 확인하고 몇 % 이하의 경우 알람을 발생시키는 것이 가능하다.
Tip. Azure Portal 에서 수동으로 Custom log search 를 지정하여 알람 규칙을 만드는 경우는 아래를 참고
Perf
| where ObjectName == "LogicalDisk"
| where CounterName == "% Free Space"
| where Computer == "AZRWIN-1"
| where InstanceName == "C:"
| summarize arg_max(TimeGenerated, *) by InstanceName
| project CounterValue
관련 포스트
준비 하기
https://github.com/jcy9033/azure-cli/tree/master/azureMonitor/logQueryAlert
참고용 Azure CLI 명령어 소개
Microsoft Learn az monitor scheduled-query link
az monitor scheduled-query create --condition
--name
--resource-group
--scopes
[--action-groups]
[--auto-mitigate {false, true}]
[--check-ws-alerts-storage {false, true}]
[--condition-query]
[--custom-properties]
[--description]
[--disabled {false, true}]
[--evaluation-frequency]
[--location]
[--mad]
[--severity]
[--skip-query-validation {false, true}]
[--tags]
[--target-resource-type]
[--window-size]CSV 구성 소개
- AlertRuleName
- Subscription
- ResourceGroup
- Severity
Subscription_UserResourceGroup_User- ResourceName
- LogQuery
:Perf | where CounterName == '% Committed Bytes In Use' | where Computer == 'AZRWIN-1' | summarize arg_max(TimeGenerated, *) by InstanceName | project CounterValue
Tip. ” ” (Double quotation) 대신 ‘ ‘ (Single quotation)을 사용하지 않으면 에러가 발생하므로 주의. - Measure
: 측정값의 기준 ex) CounterValue - Aggregation
- WindowSize
- Dimensions
- Operator
- Threshold
- EvaluationFrequency
- AutoMitigate
- Location
- ActionGroupName
Script 구성 소개
CSV 파일 경로 및 가져 오기
# Please enter the file path for the CSV
$csvPath = "CSV File Path"
$csvData = Import-Csv $csvPath -Encoding UTF8Subscription 확인 하기
몇 번째 행을 처리 중인지 확인하기 위해서 Create No.$i 를 추가했다.
$i = 1
$csvData | ForEach-Object {
#----------------------------------------- Subscription check
Write-Host "----------# [Create No.$i : $(Get-Date)]"
$TargetSubscription = $_.Subscription
$ActiveSubscription = az account show --query name -o tsv
if ($ActiveSubscription -eq $TargetSubscription) {
Write-Host "[Info] Already on the target subscription: $TargetSubscription"
}
else {
az account set --subscription $TargetSubscription
Write-Host "[Info] Switched to the target subscription: $TargetSubscription"
}Action Group 값 가져 오기
#----------------------------------------- Action Group
$ActionGroupName = $_.ActionGroupName
$ActionGroupList = $ActionGroupName -split ';'
Write-Host "[Info] Action group list: $ActionGroupList"
$ActionGroups = @()
foreach ($ActionGroup in $ActionGroupList) {
$ActionGroupJson = az graph query -q "Resources | where type == 'microsoft.insights/actiongroups' and name has '$ActionGroup' | project id" | ConvertFrom-Json
if ($ActionGroupJson.data -and $ActionGroupJson.data.Count -gt 0) {
$ActionGroupId = $ActionGroupJson.data[0].id
$ActionGroups += "$ActionGroupId"
}
else {
Write-Host "[Warning] No valid action group ID found for $ActionGroup"
}
}
Write-Host "[Info] Action groups parameter: $ActionGroups"Log Query 변수에 저장하기
#----------------------------------------- Log query
$LogQuery = $_.LogQuery
Write-Host "[Info] Condition Log Query: $LogQuery"
Condition String 만들기
#----------------------------------------- Conditions
$Condition = "$($_.Aggregation) $($_.Measure) from 'LogQuery' $($_.Operator) $($_.Threshold)"
Write-Host "[Info] Scheduled query alert condition: $Condition"Resource id 값 가져오기
#----------------------------------------- Resource parameters
$ResourceName = $_.ResourceName
$Scopes = (az resource list --query "[?name=='$ResourceName'].id" --output tsv).Trim()
Write-Host "[Info] Resource scopes: $Scopes"Log Query Alert 만들기
#----------------------------------------- Create Scheduled query alert
az monitor scheduled-query create --name $_.AlertRuleName --resource-group $_.ResourceGroup --scopes $Scopes `
--severity $_.Severity `
--condition "$Condition" `
--condition-query LogQuery="$LogQuery" `
--evaluation-frequency $_.EvaluationFrequency `
--auto-mitigate $_.AutoMitigate `
--window-size $_.WindowSize `
--action-group $ActionGroups
$i++
}
Write-Host "----------# [All done: $(Get-Date)]"Script 실행 결과
PS C:\Users\cchi9\OneDrive\Vscode\azure-cli\azureMonitor\logQueryAlert> .\main.ps1
----------# [Create No.1 : 01/06/2024 14:17:17]
[Info] Already on the target subscription: Azure subscription 2
[Info] Action group list: ag-1 ag-2 ag-3
[Info] Action groups parameter: /subscriptions/611a7ed8-17fa-480a-901d-d7084803c376/resourceGroups/core-1/providers/microsoft.insights/actiongroups/ag-1 /subscriptions/611a7ed8-17fa-480a-901d-d7084803c376/resourceGroups/core-1/providers/microsoft.insights/actiongroups/ag-2 /subscriptions/611a7ed8-17fa-480a-901d-d7084803c376/resourceGroups/core-1/providers/microsoft.insights/actiongroups/ag-3
[Info] Condition Log Query: Perf | where CounterName == '% Committed Bytes In Use' | where Computer == 'AZRWIN-1' | summarize arg_max(TimeGenerated, *) by InstanceName | project CounterValue
[Info] Scheduled query alert condition: avg CounterValue from 'LogQuery' > 90
[Info] Resource scopes: /subscriptions/0b5f5005-c30c-4a28-89c1-9457d0cd5e0f/resourceGroups/system-1/providers/Microsoft.Compute/virtualMachines/AZRWIN-1
{
"actions": {
"actionGroups": [
"/subscriptions/611a7ed8-17fa-480a-901d-d7084803c376/resourceGroups/core-1/providers/microsoft.insights/actiongroups/ag-1",
"/subscriptions/611a7ed8-17fa-480a-901d-d7084803c376/resourceGroups/core-1/providers/microsoft.insights/actiongroups/ag-2",
"/subscriptions/611a7ed8-17fa-480a-901d-d7084803c376/resourceGroups/core-1/providers/microsoft.insights/actiongroups/ag-3"
],
"customProperties": {}
},
"autoMitigate": true,
"checkWorkspaceAlertsStorageConfigured": false,
"createdWithApiVersion": "2021-08-01",
"criteria": {
"allOf": [
{
"dimensions": [],
"failingPeriods": {
"minFailingPeriodsToAlert": 1,
"numberOfEvaluationPeriods": 1
},
"metricMeasureColumn": "CounterValue",
"metricName": null,
"operator": "GreaterThan",
"query": "Perf | where CounterName == '% Committed Bytes In Use' | where Computer == 'AZRWIN-1' | summarize arg_max(TimeGenerated, *) by InstanceName | project CounterValue",
"resourceIdColumn": null,
"threshold": 90.0,
"timeAggregation": "Average"
}
]
},
"description": null,
"displayName": null,
"enabled": true,
"etag": null,
"evaluationFrequency": "0:05:00",
"id": "/subscriptions/0b5f5005-c30c-4a28-89c1-9457d0cd5e0f/resourceGroups/system-1/providers/microsoft.insights/scheduledqueryrules/log1-1",
"isLegacyLogAnalyticsRule": null,
"isWorkspaceAlertsStorageConfigured": null,
"kind": null,
"location": "japaneast",
"muteActionsDuration": null,
"name": "log1-1",
"overrideQueryTimeRange": null,
"resourceGroup": "system-1",
"scopes": [
"/subscriptions/0b5f5005-c30c-4a28-89c1-9457d0cd5e0f/resourceGroups/system-1/providers/Microsoft.Compute/virtualMachines/AZRWIN-1"
],
"severity": 1,
"skipQueryValidation": false,
"systemData": {
"createdAt": "2024-01-06T05:17:23.125963+00:00",
"createdBy": "xxxxx",
"createdByType": "User",
"lastModifiedAt": "2024-01-06T05:17:23.125963+00:00",
"lastModifiedBy": "xxxxx",
"lastModifiedByType": "User"
},
"tags": null,
"targetResourceTypes": null,
"type": "Microsoft.Insights/scheduledQueryRules",
"windowSize": "0:05:00"
}
----------# [Create No.2 : 01/06/2024 14:17:29]
[Info] Already on the target subscription: Azure subscription 2
[Info] Action group list: ag-1 ag-2 ag-3
...Skip
----------# [All done: 01/06/2024 14:17:49]