Log Analytics & KQL Basics

AZ-104: Azure Administrator

What is Log Analytics?

Log Analytics is part of Azure Monitor that stores and queries log data.
Logs from different resources (VMs, apps, networking, security) are collected in a Log Analytics Workspace.

Think of it as a central log database where you can run queries, build reports, and detect issues.

Kusto Query Language (KQL)

KQL is the query language used to analyze logs in Azure.

Looks like SQL but is read-only (you can’t update data).
Designed for searching, filtering, and aggregating large sets of log data.

Basic Syntax Examples:

search "error" → Finds all logs containing “error.”
AzureActivity | where ResourceGroup == "TestRG" → Filters logs by resource group.
SecurityEvent | summarize count() by ResultType → Groups by result type and counts events.

Common Data Sources for Logs

Activity Logs: Who did what at the subscription level.
Resource Logs: Events inside resources (e.g., SQL queries, firewall traffic).
VM Logs: Collected by agents (performance, syslogs, event viewer).

Confusion Buster 🚨

Metrics vs Logs
- Metrics = performance numbers (fast, real-time).
- Logs = events and activities (detailed, historical).
Activity Log vs Resource Log
- Activity Log = subscription-level operations (create, delete resources).
- Resource Log = inside the resource (queries, errors, requests).

Exam trap: If the question says “who deleted a VM?” → Activity Log. If it says “why is SQL DB slow?” → Resource Logs.

Simple Example

A company wants to monitor failed logins to their VM:

Logs are collected into Log Analytics Workspace.
Admin runs a KQL query:
SecurityEvent | where EventID == 4625 | summarize count() by Account
This shows which accounts had failed login attempts.

Exam Tip

If you see “querying logs”, the answer involves Log Analytics Workspace + KQL.
If you see “real-time CPU/Memory usage”, that’s Metrics, not Logs.
If scenario asks “who deleted a resource?”, the answer is Activity Logs.

What to Expect in the Exam

Direct Q: “Which language is used to query logs in Azure?” → KQL.
Scenario: “Admin wants to analyze sign-in failures across multiple resources.” → Log Analytics + KQL.
Trick Q: “You can update resource logs with KQL queries.” (False — KQL is read-only).