none
Is it possible to raise multiple Azure Alerts from one Custom Log Search result? RRS feed

  • Question

  • Hi there,

    I have a several Linux vms (very dynamic environment) which sends SysLog to single Log Analytic Workspace. I would like to raise an Azure Alert whenever a warning appears in SysLog Log Analytic Workspace. How can I write a Custom Log Search to accomplish it?

    The query I wrote: Syslog | project _ResourceId, SyslogMessage, SeverityLevel, EventTime | where SeverityLevel == 'warn' can be consumed by Azure Monitor however if two machines produce Warning in the same alert period - only one Alert will be raised. What I would like to achieve is to have one query that is capable of producing multiple alerts.

    Is it possible with logs?

    many thanks Bartek

    *I have been advised to move my question from Q&A Preview here.
    Tuesday, December 31, 2019 9:13 AM

Answers

  • Thanks for reaching out! From the information provided , I hope below solution helps you in achieving the requirement.

    Below query retrieves the count of messages for every 5 minutes for each computer.Here the alert is generated if any computer exceeded count of messages of 5 two times over 30 minutes.

     Syslog 
     |where SeverityLevel == 'warn'
     | summarize AggregatedValue=count(SeverityLevel) by bin(TimeGenerated, 5m) , Computer
    Time period: 30 minutes

    Alert frequency: five minutes
    Alert Logic - Condition & Threshold: Greater than 5
    Group Field (Aggregate-on): Computer
    Trigger alert based on: Total breaches Greater than 1

    The query would create an average value for each computer at 5-minute intervals. This query would be run every 5 minutes for data collected over the previous 30 minutes. Since the Group Field (Aggregate-on) chosen is columnar 'Computer' - the AggregatedValue is split for various values of 'Computer' and average count of messages for each computer is determined for a time bin of 5 minutes.

    Hope this helps!



    Saturday, January 4, 2020 10:32 AM
    Moderator

All replies

  • Thanks for reaching out! From the information provided , I hope below solution helps you in achieving the requirement.

    Below query retrieves the count of messages for every 5 minutes for each computer.Here the alert is generated if any computer exceeded count of messages of 5 two times over 30 minutes.

     Syslog 
     |where SeverityLevel == 'warn'
     | summarize AggregatedValue=count(SeverityLevel) by bin(TimeGenerated, 5m) , Computer
    Time period: 30 minutes

    Alert frequency: five minutes
    Alert Logic - Condition & Threshold: Greater than 5
    Group Field (Aggregate-on): Computer
    Trigger alert based on: Total breaches Greater than 1

    The query would create an average value for each computer at 5-minute intervals. This query would be run every 5 minutes for data collected over the previous 30 minutes. Since the Group Field (Aggregate-on) chosen is columnar 'Computer' - the AggregatedValue is split for various values of 'Computer' and average count of messages for each computer is determined for a time bin of 5 minutes.

    Hope this helps!



    Saturday, January 4, 2020 10:32 AM
    Moderator
  • First of all - many thanks!!!

    It helped me to understand the syntax better and... that I can't spell AggregatedValue properly ;) Kindly ask you to fix your as well (in case someone will use your great example) - there is an additional 'r'

    once again - thanks for help!

    Monday, January 6, 2020 2:15 AM