Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Monitor-Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 6 hours SLA on indexing custom log data is a very long time to alert on

    According to this article https://azure.microsoft.com/en-us/support/legal/sla/log-analytics/v1_1/ SLA on indexing log data might take up to 6 hours. OMS has built in alerting that allows you to trigger actions within 5 minutes of data arrival. But if indexing takes more than 5 minutes - then what's the point of creating alert that might trigger on something that is no longer a problem, or not trigger at all if there is real problem. What is the average data indexing time? Log Analytics would be much more useful and have many more applications in real world if that indexing time is much lower. 6…

    366 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  2. Never log Docker environment variables in container solution unless told to

    I think including environment variables in the ContainerInventory logs is a really, really bad idea. Docker environment variables are generally used to initialise containers with secrets, such as passwords. While it would be possible to provide them by way of storage, it’s not common practice, nor standard or portable. Environment variables are commonly used.

    Environment variables just should not be logged, at least until specifically told to.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  3. Pick list instead of just a text box

    I should be able to pick from a list of windows event logs, not enter names when adding logs in MOM Suite

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  4. (Microsoft survey and discussion) Frustrations around using log analytics in monitoring/log analytics solutions

    I’m part of a team at Microsoft that is interested in understanding your frustrations around diagnosing software problems when using monitoring/log analytics solutions. Specifically, we’re interested in where you leave the monitoring/log analytics system to pull addition logs/traces or use different diagnostic analysis tools in order to solve a software problem. If you’re someone that uses the log analytics capability inside of OMS or any of the other monitoring/analytics solutions (Linux or Windows), and you are interested in having a 30 minute conversation with me and a couple of my colleagues, please leave your information on http://www.msftdiagnostics.com/ or send email…

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  5. Can you please add the Microsoft-Windows-Sysmon/* to Logs

    To be able to support Sysinternals SysMon

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  6. Log Management - NO DATA FOUND

    I initially on-boarded a new SCOM 2012 R2 management group with Operational Insights. I turned on multiple intelligence packs and the 10 or so servers that were added to SCOM so far uploaded log data fine (IIS, Application, System) and the "Security and Audit" intelligence pack seemed to be working as well.

    I did see that there were some servers that are too old to be compatible with OpInsights, so I created a custom group for Windows servers with 2008 and later, I then targeted that group with OpInsights from within the SCOM console.

    I also am running the latest…

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. Collect text log files

    Allow for the ability to collect text log files.

    For agent-based collection, it could initially be limited to text log files that are "known" to SCOM through MPs (i.e. SQL Server's ERRORLOG) or with path to the file configurable by the user (from the portal or thru an Authoring Template).

    For collection from a storage account (if you have a way to land the file there on your own) you would have to point at the blob\container.

    Note: This Idea was re-created after having been incorrectly merged.

    167 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  8. Collect Azure data from different Azure Subscriptions

    Afaik today we can collect Azure logs only from artifacts runinng int he same subscription where the OpInsights workspace has been created. We use different subscriptions in Azure for both segregation and billing, but we want to able to monitor them form a single OpInsights account. Give us the option to register my subscriptions and be able to collect exactly the same data we're collecting from the "home" subscription.

    73 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  9. I have multiple directly connected servers listed twice in the portal.

    Hello,

    When i list "Servers Connected Directly" I see multiple servers that are listed twice. Once with its computer name and once with its FQDN. The reason why the server is also listed with its computer name is one event. All other events are based on its FQDN.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The IIS collection was changed so that it now reports the same (typically, FQDN) computer name also seen in other types of data as opposed to just the NETBIOS name/host name that was inferred from the log content.
    This was part of the fix announced here http://blogs.technet.com/b/momteam/archive/2015/05/14/configuration-changes-for-iis-log-collection-in-operations-management-suite.aspx


    For actually showing ‘connection’ status of direct agents (not inferred from data in search), vote this http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6734080-improve-visibility-of-an-agent-status

  10. W3CIISLog - csUserName not in full text index?

    The csUserName seems not included in the full text index. Repro:
    - search for a known user Type:W3CIISLog csUserName:"someusername", this returns a list of documents
    - search for the same user without setting a property match, "someusername" doesn't return documents from W3CIISLog but it does for other logs

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  11. Application Log ID 18456 (Logon) not being collected (aka - allow to Collect Audit Failure and Audit Success events)

    Added log collection of the Application Event Log , but it looks like Event 18456 Type Logon is not being collected even while its located in the Application Log

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We’ve updated the Log Analytics service so that Audit Success / Audit Failure events are picked up from all event logs, not just the Security event log.

    To collect these events, configure collection of “Information” level events from the event log.

    The change is rolling out to all regions this week.

  12. Data Retention Intervals By Data Type

    Would like to request a data retention interval by data type (Similar to what is done in SCOM.) Specifically, the ability to set retention timeframes on "Performance Data", "Event data", and "Analytic Data."

    112 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  13. Add support for operational insights in Azure PaaS Services

    Azure Operational Insights should also support operational insights on Azure PaaS services like Web Roles, Worker Roles, Web sites, Azure SQL Databases and all the other Azure PaaS services.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Log Collection from WAD for PaaS roles and IaaS VMs is enabled for Windows Event Logs and IIS Logs.

    SQL Instances running in IaaS VM are supported (via the agent) by SQL Assessment IP already as well.

    Other sources of data (i.e. performance) are tracked by individual ideas i.e.

    http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519356-collect-custom-performance-counters-from-windows-a

    http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519351-collect-iis-logs-from-windows-azure-diagnostics-st

    Azure SQL is a different beast altogether – not immediately on the roadmap to assess that from our end, but we started some conversation with the SQL team in that sense.

    In general, we suggest you give us feedback in small-bite chunks. This one broad ‘idea’ you posted for us is really multiple separate features to implement on our end – see the list above. This means your feedback will tend to remain open for a very long time. We work in iterative/agile fashion, so we prefer to track each small piece with its own status and ship small…

  14. Advisor Stopped collecting IIS Log data. Is it because of the size of the IIS log file? How do I troubleshoot?

    I have configured IIS Log collection in Advisor and it was working as expected. It suddenly stopped collecting IIS log data. How do I troubleshoot the issue? Can IIS Log file size be a factor here?

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We do recommend absolutely keeping the files small and rollover quick – as described here http://blogs.technet.com/b/momteam/archive/2014/09/19/iis-log-format-requirements-in-system-center-advisor.aspx – this is more of an issue in SCOM environments where the agents can potentially flood the Management Server. It’s not that much of a problem for Direct Agent (but you do use more bandwidth!) but basically every hour the same files (if log rollover is more than hourly) will be un-necessarily uploaded from agent to MS and from MS to cloud over and over. Hence the suggestion of ‘hourly’ rollover policy.

    If you are not able to change the IIS Logging policy in Windows, you can choose to turn off the IIS Log collection rule entirely for those agent where you can’t change IIS config, using SCOM overrides.

  15. event log does not exist

    When you configure to record logs from a source, and that source doesn't exist in a client, SCOM report errors about not being able to open that source log.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  16. Log Management Bug (?)

    I've brought online several servers and the logs appear to be flowing up, I can go to search and see that I have logs that have shown up within the last few minutes. Yet, when I login to SCA I am presented with a screen that says welcome to log management please configure, when I click through it looks as though nothing is setup, when I got back to the main page, I get a count of logs (inaccurate count), when I click on log management it shows the logs i'm capturing...stop rinse and repeat.

    http://1drv.ms/1lk83po

    Sort that by filename…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Log Management and Log Collection Policy  ·  Flag idea as inappropriate…  ·  Admin →

    multiple issues here:

    1) the Tile was timing out; we had an SEV-2 incident actually worked on today for this issue. It has now been mitigated, so it should work again. Sorry for the inconvenience… it’s a Preview, but the team has been hard at work to restore functionality in record time!

    2) the drill down page shows record count by log for ALL times right now —> but once you drill down into search, you have a filter of 7 days applied, so of course the numbers will be smaller. This is currently by design.

  17. logging, where is the summary of compuers

    Sorry this is not a new idea but observation on the Log Management views.

    Please bring back the original view, where it was able to sort event trend by the effected computer. This was huge to summarize the computers generating the Run-away EventID. I've bee using this daily and the dashboard change and I wish there was an option to bring back the old view.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Log Management and Log Collection Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow to perform parsing and custom fields extraction

    i.e. many logs have a single line of 'message' or 'description' - you want to parse that out into discrete parts that you can perform aggregations (group by) against.

    43 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  19. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  20. Windows Event Log Provider Event ID 26004: Advisor Log collection makes noise

    I am running default Advisor Log Collection jobs. I am managing some Hyper-V servers with Advisor. A non-Hyper-V host (a SCOM management server) is unhealthy in SCOM due to this error. It seems Advisor log collection should not cause an error when a log does not exist on a server where the role for that log is not installed.

    Operations Manager Event Log
    Source: Health Service Modules
    Event Number: 26004

    The Windows Event Log Provider is still unable to open the Microsoft-Windows-Hyper-V-VMMS-Storage event log on computer '<SCOM management server not running Hyper-V>'. The Provider has been unable to open the…

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    It’s technically already possible (and fairly straightforward if you have some simple MP authoring skills) to cook up your own MP’s collecting logs and target them to custom objects/targets/computers/groups, and even include more granular Collection criteria (i.e. only certain EventIDs, or certain sources, etc….). But this would be living completely on-premises, and won’t be ‘seen’ or reflected in the configuration UI in the Cloud.

    I have written a how-to here http://blogs.technet.com/b/momteam/archive/2014/08/27/anatomy-of-an-event-collection-rule-for-advisor-preview-advanced-targeting.aspx that explains how the Event collection policy works, and it contains a management pack which features an Authoring template to create this type of rules.

    By choosing your own scoping/targeting in SCOM, you wouldn’t see the errors on the ‘wrong’ machines.

← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base