Introduction
Azure Log Analytics Workspace is the logical storage unit where log data is collected and stored. It can be considered as the basic management unit of Azure Monitor Logs. It is used to collect data from various sources such as Azure Virtual Machines, Windows or Linux Virtual Machines, Azure Resources in a subscription, etc. This blog will brief you on what is an Azure Log Analytics Workspace and how to manage it.
What is Azure Log Analytics Workspace?
We may have different resources under different subscriptions and various Azure Monitors to monitor them. But where are the data collected from those monitors stored? The answer isAzure Log Analytics Workspace.An Azure Log Analytics Workspace is a logical storage unit in Azure where all log data generated by Azure Monitors are stored. Azure Log Analytics Workspace makes it easier for us to manage the log data that is collected from various data sources like Azure Virtual Machines.
Need for Azure Log Analytics Workspace
A Log Analytics workspace can be considered as the basic management unit of Azure Monitor Logs. All data collected from monitors need a place to be stored and managed. Log Analytics Workspace acts as a logical storage unit where you can easily store, retain, and query data collected from various resources that have been monitored in Azure to provide valuable insights for those resources.
What Is Azure Log Analytics?
Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results.
What Is Azure Log Analytics Used For?
Azure log analytics can be used to query and retrieve data from multiple monitor logs meeting certain criteria to provide better insights on the data.
What Is the Difference Between Azure Monitor and Log Analytics?
Azure log analytics is an offering or service within Azure Monitor. Azure log analytics and App Insights have been moved into Azure monitor to provide a consolidated monitoring experience in one place. The term log analytics now primarily applies to the page in the Azure portal used to write and run queries and analyze log data.
How Do I Create a Workspace in Azure?
In the Azure Portal, clickAll Servicesand selectMonitorsfrom the list of services displayed. Once you clickMonitorsa group of resources under monitors will be displayed. SelectLog Analytics Workspacefrom the group of resources displayed.
Once you click Log Analytics Workspace, a list of previously configured Workspaces will be displayed. ClickAddto create a new Log Analytics Workspace.
Now provide the following values to create a new Workspace
- Select aSubscriptionfrom the list of subscriptions provided
- Select aResource Group fromthe list of resource groups provided or create a new resource group
- Provide a name for the Log Analytics Workspace. The provided name must be globally unique across all Azure Monitor subscriptions
- Select an availableLocation
- Since the Pricing has been updated for Log Analytics Workspace after April 2 2018, only thePay-as-you-go (Per GB 2018)plan will be available under thePricing Tier.After providing the required information click
How Do I Check Azure Log Analytics?
Open the Log Analytics demo environment or select Logs from the Azure Monitor menu in your subscription. This will set the initial scope to a Log Analytics workspace meaning that your query will select from all data in that workspace.
Delete an Azure Log Analytics Workspace
Two types of delete operations can be performed on Azure Log Analytics Workspace. They are
- Soft Delete
- Permanent Delete
Soft Delete
When you try to delete a Log Analytics Workspace, by default, the soft delete operation is performed. This delete operation gives you an option to recover the Log Analytics Workspace within 14 days. While performing a soft delete operation the resources whose log data is being collected in the workspace remain in an orphaned state for the soft delete period. Once these 14 days are over, the workspace becomes non-recoverable and all its data will be permanently deleted within 30 days. After the 30 days, the workspace name is released and is available for reuse.
Permanent Delete
There may be some situations in which you need to permanently delete the Log Analytics Workspace. In such situations, you can use permanent delete to override the soft delete operation. The permanent delete operation deletes the workspace and all related data immediately and releases the workspace name for reuse.
Recover a Log Analytics Workspace
The recovery of a Log Analytics Workspace is possible only if the workspace has been deleted using soft delete operation. If you have contributor permission to the subscription and resource group in which the log analytics workspace was created, then you can recover the Log Analytics Workspace during the soft delete period. You can recover a Log Analytics Workspace by creating the workspace with the same details of the deleted workspace which include Workspace Name, Region, Resource Group Name, and Subscription Name.
Steps to delete a Log Analytics Workspace
You must at least have Log Analytics Contributor permission to delete a Log Analytics Workspace.
- Select theAzure Log AnalyticsWorkspaceyou want to delete.
- On the top of the middle pane, you will be able to see aDeleteoption.
- Once you select the delete option a confirmation message appears prompting you to confirm the delete operation. Click Yes to delete the selected Log Analytics Workspace.
How Do I Change the Log Analytics Workspace in Azure?
Move an Azure Log Analytics Workspace
You can move an Azure Log Analytics Workspace between resource groups and subscriptions you have access to using the following steps
- Select theLog Analytics Workspaceyou want to move
- In the Overview page, you can see aChangeoption specified near Resource Group and Subscription
- If you want to change theResource Groupin which the Workspace is present, you can select the change option near Resource Group and select the resource group to which you want to move the Workspace
- If you want to change theSubscriptionin which the Workspace is present, you can select the change option near Subscription and select the Subscription to which you want to move the Workspace
- ClickOkto move the workspace to the selected Resource Group or Subscription
How Do I Access Azure Log Analytics?
You can view the Access Control Mode on the overview page of the Log Analytics Workspace. There are two types of Access Control Modes for a Log Analytics Workspace. They are
- Use Resource or Workspace Permissions
- Require Workspace Permissions
Use Resource or Workspace Permissions
This access control mode allows granular role-based access control. User can be granted permission to only view log data of resources which are permitted to use this access control mode. When a user accesses the workspace on a Workspace-Context mode, the workspace permissions that have been given to the user will be applied. When a user accesses the workspace on a Resource-Context mode only the resource-based permissions are considered, and the workspace related permissions are ignored for those resources. This is the default access control mode for Log Analytics Workspaces.
Require Workspace Permission
This access control mode does not allow granular role-based access control. For a user to access the workspace, they must have permission to the workspace or specific tables in the workspace. If a user enters the workspace in a Workspace-Context mode, the user has access to all the tables and data in the workspace. If the user enters the workspace in a Resource-Context mode, they will have access only to the data for the resource in any table they have been granted access to.
Change Access Control Mode for Log Analytics Workspace
You can change the Access Control Model for the Log Analytics Workspace in the Properties section of the Log Analytics Workspace.
- Go to thePropertiessection of the Log Analytics Workspace
- You can see the current access control mode with aClick to ChangeOption. (This option will be disabled if the user does not have permission to change the access control mode)
- Click the current access mode to switch between the two available access control modes.
Conclusion
Log Analytics Workspace facilitates an assured monitoring service to fulfill the monitoring needs of the user. I Hope, this blog helps you to understand what an Azure Log Analytics Workspace is and how to manage it.
Also Read: Gain Deeper Insights into Logic Apps Using Log Analytics
This article was originally published on Jul 10, 2020. It was most recently updated on Jan 30, 2023.
As an expert in Azure and log analytics, I have extensive experience in working with Azure Log Analytics Workspaces and related services. I have managed and configured Log Analytics Workspaces for various projects, gaining hands-on experience in creating, querying, and optimizing log data. My expertise is backed by practical knowledge and a deep understanding of the concepts mentioned in the article.
The article discusses Azure Log Analytics Workspace, its significance as a logical storage unit, and its role in collecting and managing log data from various sources in Azure. Let's break down the key concepts covered in the article:
-
Azure Log Analytics Workspace:
- It is a logical storage unit in Azure for collecting and storing log data generated by Azure Monitors.
- Serves as the basic management unit of Azure Monitor Logs.
- Collects data from sources like Azure Virtual Machines, Windows or Linux VMs, and other Azure resources.
-
Need for Azure Log Analytics Workspace:
- Emphasizes the importance of a centralized location (Log Analytics Workspace) to store and manage log data collected from monitored resources in Azure.
- Allows easy storage, retention, and querying of data for valuable insights.
-
Azure Log Analytics:
- A tool in the Azure portal for editing and running log queries from data collected by Azure Monitor Logs.
- Used to interactively analyze log data and retrieve information from multiple monitor logs.
-
Difference Between Azure Monitor and Log Analytics:
- Azure log analytics is a service within Azure Monitor, providing a consolidated monitoring experience.
- Log analytics and App Insights are part of Azure Monitor, and the term log analytics refers to the portal for writing and running queries.
-
Creating a Workspace in Azure:
- Describes the steps to create a Log Analytics Workspace in the Azure Portal.
- Involves selecting a subscription, resource group, providing a unique name, choosing a location, and selecting a pricing tier.
-
Checking Azure Log Analytics:
- Explains how to open the Log Analytics demo environment or select Logs from the Azure Monitor menu to query log data.
-
Deleting and Recovering a Log Analytics Workspace:
- Differentiates between soft delete and permanent delete operations.
- Soft delete allows recovery within 14 days, while permanent delete deletes the workspace and data immediately.
- Recovery is possible during the soft delete period by creating a new workspace with the same details.
-
Changing Log Analytics Workspace:
- Guides on moving a Log Analytics Workspace between resource groups and subscriptions.
- Explains the process of changing the resource group or subscription for a workspace.
-
Access Control Modes:
- Describes two access control modes: Use Resource or Workspace Permissions and Require Workspace Permissions.
- Use Resource or Workspace Permissions allows granular role-based access control, while Require Workspace Permissions grants access to the entire workspace.
-
Changing Access Control Mode:
- Provides steps to change the access control mode in the Properties section of the Log Analytics Workspace.
In conclusion, the article provides comprehensive information about Azure Log Analytics Workspace, covering its creation, management, querying, and access control aspects. The concepts discussed showcase the importance of Log Analytics Workspace in Azure monitoring and the steps to effectively utilize and manage it.