Azure Log Alert Webhook with Azure Logic App

I have come across a request that administrators would like to know more details around their Azure resource whenever they are having specific situations, such as high inbound network, high CPU usage etc. However, with the default Azure Log Alert, we could only get very basic information depending on the condition we set. If we would like to get more, we would need to set up something else. In this article, we could try to see how to achieve this via Azure log alert webhook.

Step-by-Step Guidance

VMConnection
| where TimeGenerated > ago(5m)
| where BytesReceived > <certain amount>
| where Computer == "<computer name>"

Please ensure the trigger and actions just like below.

The 1st Trigger: When a HTTP request is received— This would generate the webhook URI Azure log alert would integrating with.

The 2nd Action: Azure Monitor Logs — Try to query the same queries you do in “Query in Azure Logs” as you would eventually just need the result you are looking for and neglect the others.

The 3rd Action: Office 365 → Send an Email v2 — This is to send out the queried result to a certain mail account, so we have visibility how it would be for administrators.

{
"alertname":"#alertrulename",
"IncludeSearchResults":true
}

Azure Logic App Detailed Setup

The 1st trigger

In “When a HTTP request is received”, we would need to input Azure log alert name (the part underlined in green) in the custom JSON payload and input HTTP POST URL in Azure log alert webhook action (the part underlined in pink).

Expected completion

2. Put the part circled in pink into the custom JSON payload.

3. Browse the VM you have set up for Azure log alert and go to “Alerts” → “Manage actions” to modify the actions in the action group.

4. Put the URL of “When a HTTP request is received”’ into the highlighted part below.

The 2nd Action

Make sure you get the correct Resource Group Name and Resource Name for Azure log analytics workspace. Put the information in the following highlights cells. You should get the required information from Azure log analytics workspace overview. Please input the parts circled in green into the cells below. The Kusto query should be the same as you did in the prerequisites section.

The 3rd Action

If you have set up the query correctly, you should be getting all the required columns showing in this action. For me, I am testing whether I could get the 4 information, including TimeGenerated, Computer (hostname), SourceIp (host IP) and BytesReceived, which is the condition itself.

If all goes well, whenever the BytesReceived exceeds the threshold (this would need to be set by yourself), Azure log alert should be triggered and since you have webhook associated, the webhook action, the Azure logic app you set up would be triggered. At the end, depending on how you set the notifications, you would at least get one from Azure log alert and an email from Azure logic app. The email content would be similar to below.

That’s it! You should now have Azure log alerts setup and also, triggering Azure logic app to send out additional information through webhook! Please notice there are many other actions that could be done through Azure logic app, you would just need to figure it out! Happy learning!

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!