Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Monitor-Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Can you please add the Microsoft-Windows-Sysmon/* to Logs

    To be able to support Sysinternals SysMon

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  2. Add support for operational insights in Azure PaaS Services

    Azure Operational Insights should also support operational insights on Azure PaaS services like Web Roles, Worker Roles, Web sites, Azure SQL Databases and all the other Azure PaaS services.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Log Collection from WAD for PaaS roles and IaaS VMs is enabled for Windows Event Logs and IIS Logs.

    SQL Instances running in IaaS VM are supported (via the agent) by SQL Assessment IP already as well.

    Other sources of data (i.e. performance) are tracked by individual ideas i.e.

    http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519356-collect-custom-performance-counters-from-windows-a

    http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519351-collect-iis-logs-from-windows-azure-diagnostics-st

    Azure SQL is a different beast altogether – not immediately on the roadmap to assess that from our end, but we started some conversation with the SQL team in that sense.

    In general, we suggest you give us feedback in small-bite chunks. This one broad ‘idea’ you posted for us is really multiple separate features to implement on our end – see the list above. This means your feedback will tend to remain open for a very long time. We work in iterative/agile fashion, so we prefer to track each small piece with its own status and ship small…

  3. Advisor Stopped collecting IIS Log data. Is it because of the size of the IIS log file? How do I troubleshoot?

    I have configured IIS Log collection in Advisor and it was working as expected. It suddenly stopped collecting IIS log data. How do I troubleshoot the issue? Can IIS Log file size be a factor here?

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We do recommend absolutely keeping the files small and rollover quick – as described here http://blogs.technet.com/b/momteam/archive/2014/09/19/iis-log-format-requirements-in-system-center-advisor.aspx – this is more of an issue in SCOM environments where the agents can potentially flood the Management Server. It’s not that much of a problem for Direct Agent (but you do use more bandwidth!) but basically every hour the same files (if log rollover is more than hourly) will be un-necessarily uploaded from agent to MS and from MS to cloud over and over. Hence the suggestion of ‘hourly’ rollover policy.

    If you are not able to change the IIS Logging policy in Windows, you can choose to turn off the IIS Log collection rule entirely for those agent where you can’t change IIS config, using SCOM overrides.

  4. Log Management - NO DATA FOUND

    I initially on-boarded a new SCOM 2012 R2 management group with Operational Insights. I turned on multiple intelligence packs and the 10 or so servers that were added to SCOM so far uploaded log data fine (IIS, Application, System) and the "Security and Audit" intelligence pack seemed to be working as well.

    I did see that there were some servers that are too old to be compatible with OpInsights, so I created a custom group for Windows servers with 2008 and later, I then targeted that group with OpInsights from within the SCOM console.

    I also am running the latest…

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  5. I have multiple directly connected servers listed twice in the portal.

    Hello,

    When i list "Servers Connected Directly" I see multiple servers that are listed twice. Once with its computer name and once with its FQDN. The reason why the server is also listed with its computer name is one event. All other events are based on its FQDN.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The IIS collection was changed so that it now reports the same (typically, FQDN) computer name also seen in other types of data as opposed to just the NETBIOS name/host name that was inferred from the log content.
    This was part of the fix announced here http://blogs.technet.com/b/momteam/archive/2015/05/14/configuration-changes-for-iis-log-collection-in-operations-management-suite.aspx


    For actually showing ‘connection’ status of direct agents (not inferred from data in search), vote this http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6734080-improve-visibility-of-an-agent-status

  6. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. Real time / Near Realtime Data Collection

    This could show events as they happen or collected and see the actual time of the logs. This would help to troubleshoot incidents as they are happening.

    Also we could collect logs from different time zones and be able to correlate them.I am not sure how that is handled now if I have a server on the west coast and servers on the east coast adn troubleshooting event logs between the two.

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    We have done and are doing even more work to enhance the speed at which we can index, so that the latency is reduced (=you don’t have to wait too long for data to be searchable) and we can enable more real time use.

    Latency is down to a few minutes in most cases these days (for data like logs – that does not need pre-processing; some scenarios have intrinsic delays) – but we aren’t stopping there and continue working on improving our latency all the times.

    The Azure SLA doc contains now a paragraph on Operational Insights http://azure.microsoft.com/en-us/support/legal/sla/


    As for correlating times, the TimeGenerated field represents the time from the original windows machine that produced the event. Everything is stored in UTC at this time, we have not done any ‘confusing’ globalization work yet to show local times, hence regardless where the machine is on the globe, its data…

  8. W3CIISLog - csUserName not in full text index?

    The csUserName seems not included in the full text index. Repro:
    - search for a known user Type:W3CIISLog csUserName:"someusername", this returns a list of documents
    - search for the same user without setting a property match, "someusername" doesn't return documents from W3CIISLog but it does for other logs

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  9. Log Management Bug (?)

    I've brought online several servers and the logs appear to be flowing up, I can go to search and see that I have logs that have shown up within the last few minutes. Yet, when I login to SCA I am presented with a screen that says welcome to log management please configure, when I click through it looks as though nothing is setup, when I got back to the main page, I get a count of logs (inaccurate count), when I click on log management it shows the logs i'm capturing...stop rinse and repeat.

    http://1drv.ms/1lk83po

    Sort that by filename…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Log Management and Log Collection Policy  ·  Flag idea as inappropriate…  ·  Admin →

    multiple issues here:

    1) the Tile was timing out; we had an SEV-2 incident actually worked on today for this issue. It has now been mitigated, so it should work again. Sorry for the inconvenience… it’s a Preview, but the team has been hard at work to restore functionality in record time!

    2) the drill down page shows record count by log for ALL times right now —> but once you drill down into search, you have a filter of 7 days applied, so of course the numbers will be smaller. This is currently by design.

  10. logging, where is the summary of compuers

    Sorry this is not a new idea but observation on the Log Management views.

    Please bring back the original view, where it was able to sort event trend by the effected computer. This was huge to summarize the computers generating the Run-away EventID. I've bee using this daily and the dashboard change and I wish there was an option to bring back the old view.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Log Management and Log Collection Policy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Why do Logs take a long time to appear after configuring them?

    I add new logs to log management and they don't appear straight away, why is this?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    SCOM currently pulls down the collection policy (in the form of an MP) every 10 minutes. After that is loaded, then sending should be pretty fast, but we don’t yet have guaranteed service levels on this ‘speed’.

    I am closing this hoping the explanation suffices. I don’t consider it really a ‘feature request’ at this stage, but let me know if you disagree.

  12. Retention Policy

    Is there any documentation on how long the logs are kept and stored?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  13. Pick list instead of just a text box

    I should be able to pick from a list of windows event logs, not enter names when adding logs in MOM Suite

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  14. Never log Docker environment variables in container solution unless told to

    I think including environment variables in the ContainerInventory logs is a really, really bad idea. Docker environment variables are generally used to initialise containers with secrets, such as passwords. While it would be possible to provide them by way of storage, it’s not common practice, nor standard or portable. Environment variables are commonly used.

    Environment variables just should not be logged, at least until specifically told to.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
2 Next →
  • Don't see your idea?

Feedback and Knowledge Base