azure 日志查询警报示例

uubf1zoe 于 2023-01-09 发布在其他

关注(0)|答案(1)|浏览(106)

我正在为一个项目设计一个监控解决方案，并希望为某些资源（例如应用程序洞察）创建一些警报规则。
如果我想设置一个日志搜索警报，我需要定义一个特定的查询并告诉警报要做什么。
但是，我以前没有写过日志查询警报，也不知道如何设置它。目前，我在Bicep中写了一个日志搜索示例：

@description('Location of the resource.')
param location string

@description('Log Analytics workspace ID to associate with your Application Insights resource.')
param workspaceId string

@allowed([
  0
  1
  2
  3
  4])
  @description('Severity of the alert.')
  param severity int = 2

resource appInsightsLogRule 'Microsoft.Insights/scheduledQueryRules@2022-06-15' = {
  name: appInsightsLogRuleName
  location: location
  properties: {
    displayName: appInsightsLogRuleName
    severity: severity
    enabled: true
    evaluationFrequency: 'PT5M'
    scopes: [
      workspaceId
    ]
    targetResourceTypes: [
      'Microsoft.Insights/components'
    ]
    windowSize: 'PT5M'
    criteria: {
      allOf: [
        {
          query: 'tbd.'
          timeAggregation: 'Count'
          dimensions: []
          operator: 'GreaterThan'
          threshold: 0
          failingPeriods: {
            numberOfEvaluationPeriods: 1
            minFailingPeriodsToAlert: 3
          }
        }
      ]
    }
    autoMitigate: true
    actions: {
      actionGroups: [
        actiongroups_team_blue
      ]
    }
  }
}

查询当前仍然为空，因为我不知道如何填充此查询。
是否有人可以分享scheduledQueryAlert或一般警报规则的有用场景（例如应用程序洞察、网络观察器、Sentinel等）的示例或查询？非常感谢！

Azure

来源：https://stackoverflow.com/questions/75005936/log-query-alert-example

1条答案

按热度按时间

h79rfbju1#

首先，检查parameter.json文件以避免此类空输出问题，并检查给定的查询是否有效。*

Referring to MSDoc，* 我尝试为日志分析工作区资源创建示例计划日志警报，并验证该警报是否已发送到给定的电子邮件地址。该警报工作正常并已成功部署，如下所示。*

@description('Log Analytics workspace Resource ID.')
param  sourceId  string = ''
param  location  string = ''
param  actionGroupId  string = ''
resource  logQueryAlert  'Microsoft.Insights/scheduledQueryRules@2018-04-16' = {
name: 'xxxxx log query alert'
location: location
properties: {
description: 'This is a sample alert'
enabled: 'true'
source: {
query: 'Event | where EventLevelName == "warning" | summarize count() by Computer' #query as per the requirement
dataSourceId: sourceId
queryType: 'ResultCount'
}
schedule: {
frequencyInMinutes: 15
timeWindowInMinutes: 60
}
action: {
'odata.type': 'Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction'
severity: '4'
aznsAction: {
actionGroup: array(actionGroupId)
emailSubject: 'xxxx Log Alert mail subject'
customWebhookPayload: '{ "alertname":"#samplealertrulename", "IncludeSearchResults":true }'
}
trigger: {
thresholdOperator: 'GreaterThan'
threshold: 1
}
}
}
}

部署成功：