Forum Widgets
Latest Discussions
Effective Cloud Governance: Leveraging Azure Activity Logs with Power BI
We all generally accept that governance in the cloud is a continuous journey, not a destination. There's no one-size-fits-all solution and depending on the size of your Azure cloud estate, staying on top of things can be challenging even at the best of times. One way of keeping your finger on the pulse is to closely monitor your Azure Activity Log. This log contains a wealth of information ranging from noise to interesting to actionable data. One could set up alerts for delete and update signals however, that can result in a flood of notifications. To address this challenge, you could develop a Power Bi report, similar to this one, that pulls in the Azure Activity Log and allows you to group and summarize data by various dimensions. You still need someone to review the report regularly however consuming the data this way makes it a whole lot easier. This by no means replaces the need for setting up alerts for key signals, however it does give you a great view of what's happened in your environment. If you're interested, this is the KQL query I'm using in Power Bi let start_time = ago(24h); let end_time = now(); AzureActivity | where TimeGenerated > start_time and TimeGenerated < end_time | where OperationNameValue contains 'WRITE' or OperationNameValue contains 'DELETE' | project TimeGenerated, Properties_d.resource, ResourceGroup, OperationNameValue, Authorization_d.scope, Authorization_d.action, Caller, CallerIpAddress, ActivityStatusValue | order by TimeGenerated asc
MetricsQueryClient returning different results based on timespan
I'm using the Python MetricsQueryClient to list out how many tokens were used on certain days via the APIM policy "azure-openai-emit-token-metric". The problem is that when I call the query_resource() function with "timespan" set for the entire month of October, I get different results for token count usage for today's date than when I set the "timespan" to just the last 48 hours. For example, when setting the timespan to be from 10/20/2024 to 10/22/2024, I see 34 prompt tokens for today's date. But if I set the timespan to be 10/1/24 to 11/1/24, I see 0 prompt tokens for today's date. Is this a known issue? It is documented somewhere?
Azure Monitoring Agent Extension - no update
Hello, I am using Azure Arc along with the AzureMonitorLinuxAgent and AzureMonitorWindowsAgent extensions. However, I've encountered multiple instances where the version listed in the changelog for the Azure Monitor Agent extension (Azure Monitor Agent extension versions - Azure Monitor | Microsoft Learn) is newer than the version I can see in the portal - also with azure cli or powershell, the newest version is missing - i only see the previous one. Has anyone else experienced this issue? Last time they had to redeploy something in westeurope But i guess this is no coincidence Thanks if somebody can share there experience or can help...
What do sign-in logs to Azure AD Identity Governance - Entitlement Management tell me
BLUF: I'm seeing a few user accounts (members and guests) that are showing up in sign in activity to Azure AD Identity Governance - Entitlement Management...but most other user accounts (members and guests) do not show up with sign-ins against that app, why would I be seeing sign-in logs for that, and what exactly am I seeing? We have about 50 internal users (members) and 500 external users (guests)...out of those typical sign-ins I mostly see then within the apps that they are utilizing, however there are a few user accounts (members and guests) where I'm seeing sign-in logs specifically to the application name = Azure AD Identity Governance - Entitlement Management. We do have 100+ apps in which we have setup access packages for external users, but I haven't seen any other sign in activity to apps that they haven't been given permission to access, this seemed to have started around first of June 2024. I'm just curious as to what I'm actually seeing when I see a user sign-in log showing up for Application = Azure AD Identity Governance - Entitlement Management.
"gettype()" function in KQL - "double" result
"double" is supposedly not a datatype in Kusto (Copilot says it is a synonym for "real"), but the gettype function will return it as a value... gettype(123.45) -> "real" gettype(cm.total) -> "double" (where cm was a container of measurements used to contain a number of C# double values) MS should either return "real" or mention "real" in the gettype documentation so programmers writing switch statements will realize that "double" is a possible value that should be handled.Ho w to correctly measure Bytes Received/sec &&&&& Bytes Sent/sec
I would like to correctly measure through log analytic and then in Grafana network traffic generated for one or more VMs. For test VMs I have enable Data collection rule and enabled collecting data every 60s for network Interface "Bytes Received/sec" and "Bytes Sent/sec". Inside metric is also enabled. Query that I use in log analytic is : Perf | where TimeGenerated between (datetime(2024-03-19) .. datetime(2024-03-20)) | where Computer == "***********" | where ObjectName == "Network Interface" and CounterName == "Bytes Received/sec" and InstanceName == "Microsoft Hyper-V Network Adapter _2" | summarize BytsSent = sum(CounterValue)/1073741824 by bin(TimeGenerated, 24h),CounterName InsightsMetrics | where TimeGenerated between (datetime(2024-03-19) .. datetime(2024-03-20)) | where Origin == "vm.azm.ms" | where Namespace == "Network" and Name == "ReadBytesPerSecond" | where Computer == "******" | extend NetworkInterface=tostring(todynamic(Tags)["vm.azm.ms/networkDeviceId"]) | summarize AggregatedValue = sum(Val) by bin(TimeGenerated, 1d), Computer, _ResourceId, NetworkInterface Results for Perf is 0,32339 GB/day and for InsightsMetrics is 14.7931 GB/day. If I go to network interface and select metric data for network interface is data that I get return from query in log analytic for Metric same/correct . I have now shorten sample period of data collection rule to 15s, I hope that this will ,give more accurate results. I’m I doing something wrong or I collect data the wrong way. I don’t want to activate inside metric for every VM, I want to activate any data that I’m interesting.
Data Collection Rule : XPath queries to filter 7036 without WMI etc
Hi, In PowerShell on server I’m trying to filter out some events from Event Id 7036 Service Control Manager Start stop services. I’m trying to filter out WMI Performance Adapter, so I don’t want to have those events imported in log analytic workspace with data collection rule. Can you help me what I’m doing wrong ? $XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]' Get-WinEvent -FilterXPath $XPath Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.. At line:3 char:1 + Get-WinEvent -FilterXPath $XPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand Get-WinEvent : No events were found that match the specified selection criteria. At line:3 char:1 + Get-WinEvent -FilterXPath $XPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand $XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]' Get-WinEvent -LogName 'System' -FilterXPath $XPath Get-WinEvent : The specified query is invalid At line:2 char:1 + Get-WinEvent -LogName 'System' -FilterXPath $XPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
KQL Query to summerize session counts over time
Hello folks, I'm trying to find a "good" way to achieve what I think is a simple task but cannot think of a simple solution. I have logs with session information, one entry per session StartTime(datetime), EndTime(datetime), Duration(in seconds), Computer(string) I want to count how many sessions are active for each 5 minute interval and graph that. Keep in mind, the sessions will overlap. I included a graphic of what I'm trying to do. With the result below Which should return: Time + 5, 1 Time + 10, 3 Time + 15, 3 Time + 20, 2Consumer REST API for Azure Event Hub
Hello, We have an existing setup where we use Kafka and we have a Kafka client written in Java that talks to the Kafka server. We have a Java producer that sends data to consumer for a topic and a Java consumer that subscribes to this topic and gets data fro kafka. We are now trying to offer similar support for Azure Event Hub too. From the documentation and examples, I can see that we can add similar code in Java. Basically a Java producer and consumer that talks to Azure Event Hub server. We are now trying to do the same with REST API. I see that we have an API to send data to an Azure Event Hub server. But I don't see any field in that to include the topic. In addition, is there an API to consume data for a particular topic or subscribe for a particular topic? (Since the documentation mentions nothing about consumer API, I am assuming there is no support for consumer REST API in Azure Event hub. But wanted to confirm. Logically also, using REST API for this kind of system where producer and consumer behave in async fashion is not a good idea) Please let me know. Thanks, Om
