I have come across a request that administrators would like to know more details around their Azure resource whenever they are having specific situations, such as high inbound network, high CPU usage etc. However, with the default Azure Log Alert, we could only get very basic information depending on the condition we set. If we would like to get more, we would need to set up something else. In this article, we could try to see how to achieve this via Azure log alert webhook.
- Connect Azure VMs to Log Analytics Workspace: We would need to have the target resource connected to Azure log analytics workspace to ensure we could query the information we need.
- Query in Azure Logs: In this situation, we try to get received bytes more than a certain amount in the past 5 minutes.
| where TimeGenerated > ago(5m)
| where BytesReceived > <certain amount>
| where Computer == "<computer name>"
- Create Azure Logic App and Activity Log Alert/Service Health Alert/Metric Alert integrating with Azure Logic App
Please ensure the trigger and actions just like below.
The 1st Trigger: When a HTTP request is received— This would generate the webhook URI Azure log alert would integrating with.
The 2nd Action: Azure Monitor Logs — Try to query the same queries you do in “Query in Azure Logs” as you would eventually just need the result you are looking for and neglect the others.
The 3rd Action: Office 365 → Send an Email v2 — This is to send out the queried result to a certain mail account, so we have visibility how it would be for administrators.
- Custom Triggering JSON Payload: This would be used in “The 1st Trigger”. Essentially, this is the content that would trigger the whole webhook actions.
Azure Logic App Detailed Setup
The 1st trigger
In “When a HTTP request is received”, we would need to input Azure log alert name (the part underlined in green) in the custom JSON payload and input HTTP POST URL in Azure log alert webhook action (the part underlined in pink).
- Browse the VM you have set up for Azure log alert and go to “Alerts” → “Manage alert rules” to get the Azure log alert name.
2. Put the part circled in pink into the custom JSON payload.
3. Browse the VM you have set up for Azure log alert and go to “Alerts” → “Manage actions” to modify the actions in the action group.
4. Put the URL of “When a HTTP request is received”’ into the highlighted part below.
The 2nd Action
Make sure you get the correct Resource Group Name and Resource Name for Azure log analytics workspace. Put the information in the following highlights cells. You should get the required information from Azure log analytics workspace overview. Please input the parts circled in green into the cells below. The Kusto query should be the same as you did in the prerequisites section.
The 3rd Action
If you have set up the query correctly, you should be getting all the required columns showing in this action. For me, I am testing whether I could get the 4 information, including TimeGenerated, Computer (hostname), SourceIp (host IP) and BytesReceived, which is the condition itself.
If all goes well, whenever the BytesReceived exceeds the threshold (this would need to be set by yourself), Azure log alert should be triggered and since you have webhook associated, the webhook action, the Azure logic app you set up would be triggered. At the end, depending on how you set the notifications, you would at least get one from Azure log alert and an email from Azure logic app. The email content would be similar to below.
That’s it! You should now have Azure log alerts setup and also, triggering Azure logic app to send out additional information through webhook! Please notice there are many other actions that could be done through Azure logic app, you would just need to figure it out! Happy learning!