The term Log Alert<\/strong> describes alerts where a log query in Log Analytics workspace<\/a> or Application Insights<\/a> is evaluated, and an alert fired if the result is true. Learn more about functionality, terminology, and types from Log alerts – Overview<\/a>.<\/p>\n\n\n\n Note<\/p>\n\n\n\n Log data from a Log Analytics workspace<\/a> can also be routed to the Azure Monitor metrics database. Metrics alerts have different behavior<\/a>, which may be more desirable depending on the data you are working with. For information on what and how you can route logs to metrics, see Metric Alert for Logs<\/a>.<\/p>\n\n\n\n Users can also finalize their analytics query in log analytics<\/a> and then push it to create an alert via ‘Set Alert’ button – then following instructions from Step 6 onwards in the above tutorial.<\/p>\n\n\n\n Log alerts in Azure Monitor are associated with resource type Note<\/p>\n\n\n\n Log alerts for Log Analytics can also be managed using legacy Log Analytics Alert API<\/a> and legacy templates of Log Analytics saved searches and alerts<\/a> as well. For more information on using the new ScheduledQueryRules API detailed here by default, see Switch to new API for Log Analytics Alerts<\/a>.<\/p>\n\n\n\n The following is the structure for Scheduled Query Rules creation<\/a> based resource template using standard log search query of number of results type log alert<\/a>, with sample data set as variables.JSONCopy<\/p>\n\n\n\n The sample json above can be saved as (say) sampleScheduledQueryRule.json for the purpose of this walk through and can be deployed using Azure Resource Manager in Azure portal<\/a>.<\/p>\n\n\n\n The following is the structure for Scheduled Query Rules creation<\/a> based resource template using cross-resource log search query<\/a> of metric measurement type log alert<\/a>, with sample data set as variables.JSONCopy<\/p>\n\n\n\n Important<\/p>\n\n\n\n When using cross-resource query in log alert, the usage of authorizedResources<\/a> is mandatory and user must have access to the list of resources stated<\/p>\n\n\n\n The sample json above can be saved as (say) sampleScheduledQueryRule.json for the purpose of this walk through and can be deployed using Azure Resource Manager in Azure portal<\/a>.<\/p>\n\n\n\n Note<\/p>\n\n\n\n This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module<\/a>. For Az module installation instructions, see Install Azure PowerShell<\/a>.<\/p>\n\n\n\n Azure Monitor – Scheduled Query Rules API<\/a> is a REST API and fully compatible with Azure Resource Manager REST API. And PowerShell cmdlets listed below are available to leverage the Scheduled Query Rules API<\/a>.<\/p>\n\n\n\n Note<\/p>\n\n\n\n ScheduledQueryRules PowerShell cmdlets can only manage rules created cmdlet itself or using Azure Monitor – Scheduled Query Rules API<\/a>. Log alert rules created using legacy Log Analytics Alert API<\/a> and legacy templates of Log Analytics saved searches and alerts<\/a> can be managed using ScheduledQueryRules PowerShell cmdlets only after user switches API preference for Log Analytics Alerts<\/a>.<\/p>\n\n\n\n Illustrated next are the steps for creation of a sample log alert rule using the scheduledQueryRules PowerShell cmdlets.PowerShellCopy<\/p>\n\n\n\n Azure Monitor – Scheduled Query Rules API<\/a> is a REST API and fully compatible with Azure Resource Manager REST API. Hence it can be used via Powershell using Resource Manager commands for Azure CLI.<\/p>\n\n\n\n Note<\/p>\n\n\n\n Log alerts for Log Analytics can also be managed using legacy Log Analytics Alert API<\/a> and legacy templates of Log Analytics saved searches and alerts<\/a> as well. For more information on using the new ScheduledQueryRules API detailed here by default, see Switch to new API for Log Analytics Alerts<\/a>.<\/p>\n\n\n\n Log alerts currently do not have dedicated CLI commands currently; but as illustrated below can be used via Azure Resource Manager CLI command for sample Resource Template shown earlier (sampleScheduledQueryRule.json) in the Resource Template section:Azure CLICopy<\/p>\n\n\n\n On successful operation, 201 will be returned to state new alert rule creation or 200 will be returned if an existing alert rule was modified.<\/p>\n\n\n\n Ref: https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/alerts-log<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" This article shows you how to create and manage log alerts using the alerts interface inside the Azure portal. Alert rules are defined by three components: Target: A specific Azure resource to monitor Criteria: A condition or logic to evaluate for truth. If true, the alert fires. Action: Specific call sent to a receiver of Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[238,239,10],"tags":[],"class_list":["post-2303","post","type-post","status-publish","format-standard","hentry","category-cloud","category-azure","category-microsoft"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/2303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2303"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/2303\/revisions"}],"predecessor-version":[{"id":2304,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/2303\/revisions\/2304"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Create a log alert rule with the Azure portal<\/h3>\n\n\n\n
![\"Monitoring\"](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewmenu.png\")
<\/li>![\"Add](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewoption.png\")
<\/li>![\"Create](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewadd.png\")
<\/li>![\"Select](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alert-selectresourcelog.png\")
<\/li>![\"Select](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewresourceselectionlog.png\")
NoteAlerts lists can import analytics query as signal type – Log (Saved Query)<\/strong>, as seen in above illustration. So users can perfect your query in Analytics and then save them for future use in alerts. For more details on using saved queries, see using log query in Azure Monitor<\/a> and shared query in Application Insights analytics<\/a>.<\/li>![\"Configure](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewalertlog.png\")
The historical data visualization is only shown if the query results have time details. If your query results in summarized data or specific column values, the display shows a single plot.For metric measurements using Application Insights or the Log Analytics API<\/a>, you can specify which specific variable to group the data by using the Aggregate on<\/strong> option; as shown here:![\"aggregate](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/aggregate-on.png\")
<\/li>![\"Suppress](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewsuppress.png\")
TipSpecify a suppress alert value greater than the frequency of alert to ensure notifications are stopped without overlap<\/li>![\"Action](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewoverridelog.png\")
<\/li><\/ul><\/li>![\"Rule](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertspreviewcreate.png\")
Within a few minutes, the alert is active and triggers as previously described.<\/li><\/ol>\n\n\n\n![\"Log](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/alertsanalyticscreate.png\")
<\/figure>\n\n\n\nView & manage log alerts in Azure portal<\/h3>\n\n\n\n
![\"](\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/platform\/media\/alerts-log\/manage-alert-rules.png\")
<\/li><\/ol>\n\n\n\nManaging log alerts using Azure Resource Template<\/h3>\n\n\n\n
Microsoft.Insights\/scheduledQueryRules\/<\/code>. For more information on this resource type, see Azure Monitor – Scheduled Query Rules API reference<\/a>. Log alerts for Application Insights or Log Analytics, can be created using Scheduled Query Rules API<\/a>.<\/p>\n\n\n\nSample Log alert creation using Azure Resource Template<\/h3>\n\n\n\n
{\n \"$schema\": \"https:\/\/schema.management.azure.com\/schemas\/2015-01-01\/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n },\n \"variables\": {\n \"alertLocation\": \"southcentralus\",\n \"alertName\": \"samplelogalert\",\n \"alertDescription\": \"Sample log search alert\",\n \"alertStatus\": \"true\",\n \"alertSource\":{\n \"Query\":\"requests\",\n \"SourceId\": \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/myRG\/providers\/microsoft.insights\/components\/sampleAIapplication\",\n \"Type\":\"ResultCount\"\n },\n \"alertSchedule\":{\n \"Frequency\": 15,\n \"Time\": 60\n },\n \"alertActions\":{\n \"SeverityLevel\": \"4\"\n },\n \"alertTrigger\":{\n \"Operator\":\"GreaterThan\",\n \"Threshold\":\"1\"\n },\n \"actionGrp\":{\n \"ActionGroup\": \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/myRG\/providers\/microsoft.insights\/actiongroups\/sampleAG\",\n \"Subject\": \"Customized Email Header\",\n \"Webhook\": \"{ \\\"alertname\\\":\\\"#alertrulename\\\", \\\"IncludeSearchResults\\\":true }\"\n }\n },\n \"resources\":[ {\n \"name\":\"[variables('alertName')]\",\n \"type\":\"Microsoft.Insights\/scheduledQueryRules\",\n \"apiVersion\": \"2018-04-16\",\n \"location\": \"[variables('alertLocation')]\",\n \"properties\":{\n \"description\": \"[variables('alertDescription')]\",\n \"enabled\": \"[variables('alertStatus')]\",\n \"source\": {\n \"query\": \"[variables('alertSource').Query]\",\n \"dataSourceId\": \"[variables('alertSource').SourceId]\",\n \"queryType\":\"[variables('alertSource').Type]\"\n },\n \"schedule\":{\n \"frequencyInMinutes\": \"[variables('alertSchedule').Frequency]\",\n \"timeWindowInMinutes\": \"[variables('alertSchedule').Time]\"\n },\n \"action\":{\n \"odata.type\": \"Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction\",\n \"severity\":\"[variables('alertActions').SeverityLevel]\",\n \"aznsAction\":{\n \"actionGroup\":\"[array(variables('actionGrp').ActionGroup)]\",\n \"emailSubject\":\"[variables('actionGrp').Subject]\",\n \"customWebhookPayload\":\"[variables('actionGrp').Webhook]\"\n },\n \"trigger\":{\n \"thresholdOperator\":\"[variables('alertTrigger').Operator]\",\n \"threshold\":\"[variables('alertTrigger').Threshold]\"\n }\n }\n }\n } ]\n}\n\n<\/code><\/pre>\n\n\n\nLog alert with cross-resource query using Azure Resource Template<\/h3>\n\n\n\n
\n{\n \"$schema\": \"https:\/\/schema.management.azure.com\/schemas\/2015-01-01\/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n },\n \"variables\": {\n \"alertLocation\": \"Region Name for your Application Insights App or Log Analytics Workspace\",\n \"alertName\": \"sample log alert\",\n \"alertDescr\": \"Sample log search alert\",\n \"alertStatus\": \"true\",\n \"alertSource\":{\n \"Query\":\"union workspace(\\\"servicews\\\").Update, app('serviceapp').requests | summarize AggregatedValue = count() by bin(TimeGenerated,1h), Classification\",\n \"Resource1\": \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/contosoRG\/providers\/microsoft.OperationalInsights\/workspaces\/servicews\",\n \"Resource2\": \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/contosoRG\/providers\/microsoft.insights\/components\/serviceapp\",\n \"SourceId\": \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/contosoRG\/providers\/microsoft.OperationalInsights\/workspaces\/servicews\",\n \"Type\":\"ResultCount\"\n },\n \"alertSchedule\":{\n \"Frequency\": 15,\n \"Time\": 60\n },\n \"alertActions\":{\n \"SeverityLevel\": \"4\",\n \"SuppressTimeinMin\": 20\n },\n \"alertTrigger\":{\n \"Operator\":\"GreaterThan\",\n \"Threshold\":\"1\"\n },\n \"metricMeasurement\": {\n \"thresholdOperator\": \"Equal\",\n \"threshold\": \"1\",\n \"metricTriggerType\": \"Consecutive\",\n \"metricColumn\": \"Classification\"\n },\n \"actionGrp\":{\n \"ActionGroup\": \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/contosoRG\/providers\/microsoft.insights\/actiongroups\/sampleAG\",\n \"Subject\": \"Customized Email Header\",\n \"Webhook\": \"{ \\\"alertname\\\":\\\"#alertrulename\\\", \\\"IncludeSearchResults\\\":true }\"\n }\n },\n \"resources\":[ {\n \"name\":\"[variables('alertName')]\",\n \"type\":\"Microsoft.Insights\/scheduledQueryRules\",\n \"apiVersion\": \"2018-04-16\",\n \"location\": \"[variables('alertLocation')]\",\n \"properties\":{\n \"description\": \"[variables('alertDescr')]\",\n \"enabled\": \"[variables('alertStatus')]\",\n \"source\": {\n \"query\": \"[variables('alertSource').Query]\",\n \"authorizedResources\": \"[concat(array(variables('alertSource').Resource1), array(variables('alertSource').Resource2))]\",\n \"dataSourceId\": \"[variables('alertSource').SourceId]\",\n \"queryType\":\"[variables('alertSource').Type]\"\n },\n \"schedule\":{\n \"frequencyInMinutes\": \"[variables('alertSchedule').Frequency]\",\n \"timeWindowInMinutes\": \"[variables('alertSchedule').Time]\"\n },\n \"action\":{\n \"odata.type\": \"Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction\",\n \"severity\":\"[variables('alertActions').SeverityLevel]\",\n \"throttlingInMin\": \"[variables('alertActions').SuppressTimeinMin]\",\n \"aznsAction\":{\n \"actionGroup\": \"[array(variables('actionGrp').ActionGroup)]\",\n \"emailSubject\":\"[variables('actionGrp').Subject]\",\n \"customWebhookPayload\":\"[variables('actionGrp').Webhook]\"\n },\n \"trigger\":{\n \"thresholdOperator\":\"[variables('alertTrigger').Operator]\",\n \"threshold\":\"[variables('alertTrigger').Threshold]\",\n \"metricTrigger\":{\n \"thresholdOperator\": \"[variables('metricMeasurement').thresholdOperator]\",\n \"threshold\": \"[variables('metricMeasurement').threshold]\",\n \"metricColumn\": \"[variables('metricMeasurement').metricColumn]\",\n \"metricTriggerType\": \"[variables('metricMeasurement').metricTriggerType]\"\n }\n }\n }\n }\n } ]\n}\n\n<\/code><\/pre>\n\n\n\nManaging log alerts using PowerShell<\/h3>\n\n\n\n
$source = New-AzScheduledQueryRuleSource -Query 'Heartbeat | summarize AggregatedValue = count() by bin(TimeGenerated, 5m), _ResourceId' -DataSourceId \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/contosoRG\/providers\/microsoft.OperationalInsights\/workspaces\/servicews\"\n\n$schedule = New-AzScheduledQueryRuleSchedule -FrequencyInMinutes 15 -TimeWindowInMinutes 30\n\n$metricTrigger = New-AzScheduledQueryRuleLogMetricTrigger -ThresholdOperator \"GreaterThan\" -Threshold 2 -MetricTriggerType \"Consecutive\" -MetricColumn \"_ResourceId\"\n\n$triggerCondition = New-AzScheduledQueryRuleTriggerCondition -ThresholdOperator \"LessThan\" -Threshold 5 -MetricTrigger $metricTrigger\n\n$aznsActionGroup = New-AzScheduledQueryRuleAznsActionGroup -ActionGroup \"\/subscriptions\/a123d7efg-123c-1234-5678-a12bc3defgh4\/resourceGroups\/contosoRG\/providers\/microsoft.insights\/actiongroups\/sampleAG\" -EmailSubject \"Custom email subject\" -CustomWebhookPayload \"{ `\"alert`\":`\"#alertrulename`\", `\"IncludeSearchResults`\":true }\"\n\n$alertingAction = New-AzScheduledQueryRuleAlertingAction -AznsAction $aznsActionGroup -Severity \"3\" -Trigger $triggerCondition\n\nNew-AzScheduledQueryRule -ResourceGroupName \"contosoRG\" -Location \"Region Name for your Application Insights App or Log Analytics Workspace\" -Action $alertingAction -Enabled $true -Description \"Alert description\" -Schedule $schedule -Source $source -Name \"Alert Name\"\n<\/code><\/pre>\n\n\n\nManaging log alerts using CLI or API<\/h2>\n\n\n\n
az group deployment create --resource-group contosoRG --template-file sampleScheduledQueryRule.json\n<\/code><\/pre>\n\n\n\nNext steps<\/h2>\n\n\n\n