1.1: Design a solution for logging and monitoring Flashcards
What are the different types of logs available on the Azure platform?
- Resource logs
- Activity logs
- Azure Active Directory (AAD) logs
What are Resource Logs?
- Resource logs are generated at the Azure resources layer by Azure resources such as Azure Key Vault, Azure Cosmos DB, virtual machines (VMs).
- They provide insights into operations performed within Azure resources. The contents of resource logs vary depending on the type of Azure service or resource that generated them.
- You must configure diagnostic settings for each Azure resource to send resource logs to one or more destinations.
Resource logs can be routed to any of the following:
* Azure Log Analytics workspace - for example, you can write complex queries in KQL to perform analysis and obtain insights into log data.
* Azure Storage account for long-term retention.
* Azure Event Hub - by routing logs to Event Hub, you can forward them to a third-party system or custom solution such as a security information and event management (SIEM) or monitoring tool.
What are Activity logs?
- Generated at the subscription layer. Each subscription has a single activity log that provides insights into administration and management operations performed on each resource on the subscription.
- Track administration and management activities on a resource to determine what operation was performed, who initiated or performed the operation, when the operation was performed, and the status of the operation.
- Activity logs are retained for 90 days and then deleted.
What is an Azure Active Directory (AAD) log?
3 types of AAD activity logs.
1. Sign-in logs - help track user sign-ins. which users are accessing which resources, and how they are accessing those resources, to capture user patterns and behaviors.
2. Audit logs - trace changes made to the tenant object, such as the addition or removal of users, groups, and applications.
3. Provisioning logs - trace the activities of provisioning services—for example, the creation of users in SaaS applications like ServiceNow, Salesforce, and so on.
As with resource logs, you can forward AAD logs to an Azure Log Analytics work-space, an Azure Storage account, or the Azure Event Hub.
Describe the Azure platform logs and metrics
These logs are generated at various layers or levels:
- Azure tenant - AAD logs are generated at the tenant Level.
- Azure subscription - Activity logs and metrics as well as service health logs and metrics are generated at the subscription level.
- Azure resource - Azure resource logs and metrics are generated at the resource level.
“。
Recommended monitoring tools: Microsoft Defender
- Microsoft Defender for Cloud is Azure-native and can be auto provisioned and easily enabled for various Azure services without any special deployment. It helps strengthen the security posture of cloud deployments by monitoring for security and compliance issues and by providing security-hardening tools for Azure resources.
- Continuously assesses the security posture of connected Azure resources and services and provides a security score for your Azure security posture. The higher the score, the better the security posture. This helps with hardening connected resources by monitoring them and comparing them to an Azure security benchmark.
- Provides recommendations to fix identified vulnerabilities, and in many cases provides a Fix button, which you can click to fix the vulnerability automatically.
- Detects threats and raises alerts. Alerts are displayed in the Azure Portal, and can be sent via email to designated recipients, forwarded to a SIEM or SOAR solution (such as Microsoft Sentinel), and/or forwarded to an ITSM tool.
Recommended monitoring tools: Microsoft Sentinel
- Microsoft Sentinel uses a Log Analytics workspace to store data collected from various sources.
- Microsoft Sentinel provides out-of-the-box connectors for Microsoft solutions to support real-time integrations, such as Microsoft 365 Defender, AAD, and Microsoft Defender for Cloud.
- In addition there are built-in connectors for non-Microsoft solutions—for example, Palo Alto products like MineMeld and PAN-OS, and Cisco products like ASA.
- Another way to connect data to Microsoft Sentinel is to use the Common Event Format (CEF) or Syslog, or to send data through the REST API. The same set of tools in Azure Monitor can be used to analyze logs along with other data collected by Azure Monitor.
Recommended visualisation and monitoring tools Azure Monitor
Azure Monitor provides visualizations and tools to monitor and analyze logs and metrics collected from various sources in Log Analytics workspaces and metric stores
- Activity log - provides the capability to query activity logs based on severity and timespan.
- Alert rules - The scope of an alert could be a subscription or specific resources. The condition specifies the signal type, which could be activity log, Azure Monitor metric, Azure Monitor log etc.
- Action group(s) indicates the action to be taken when an alert condition is met. You can choose to send a notification to select recipients, trigger an automatic action, or both.
- Alert processing rules - suppress the alert in specific scenarios or to specify which action group(s) should be triggered when an alert is tripped at a specific scope.
- Metrics - you can create visualizations and charts for any metrics you collect and pin them to your dashboard for easy monitoring. You can also create alert rules on metrics.
- Logs - ss with metrics, you can create visualizations and charts for any logs you collect and pin them to your dashboard for easy monitoring. You can also create custom queries to obtain specific insights and to generate alerts.
- Service Health provides visibility on ongoing issues, security advisories, and the health history of Azure services. It also provides visibility into maintenance scheduled for Azure services. You can configure alerts for Azure services within a specific region for health events like service issues, planned maintenance, health advisories, and security advisories. You can also configure actions to mitigate these health events on Azure services, similar to the way you do alerts.
Describe how Azure Monitor generates Application Insights
Azure Monitor provides curated visualizations and monitoring tools for many Azure services to provide insights into their health and performance. The insights differ depending on the Azure service being monitored. Some important insights include the following:
- Application Insights
-
Application map - shows various application components and their dependencies. This view is useful for investigating bottlenecks in distributed applications.
Smart Detection - helps detect anomalies in an application. It automatically raises alerts based on any unusual patterns in the telemetry ingested from the application.
Live Metrics - monitor live metric telemetry coming from an application.
Availability - set up availability tests for an application to monitor its availability for specific time intervals.
Failures - investigate failures within an application—for example, in application operations, dependencies, or server roles.
Performance - identify issues with regard to application operations, dependencies, and server roles.
Describe how Azure Monitor provides Usage Insights
Azure Monitor can provide the following usage insights:
Users - View how many users are using each page and feature in an application, identify the countries from which users visit the application, determine which browser they are using, and more.
Sessions - track how many sessions are spent on a particular application page or feature, which sessions originate from which country, what browser is used, and more.
Events - see how many times a particular application page or feature is used, from which country, using which browser, and more.
Retention - track how many users return to your application. This can help you understand why users return to your application, as well which aspects of your application seem to cause users to abandon it.
Funnel - gauge users’ navigation experience in your application to identify bottlenecks and other user pain points and remove them.
User Flows - obtain a visualization of user navigation in your application across pages and features to analyze user navigation patterns.
*Cohorts *- define a cohort of users, events, sessions, and operations based on similar characteristics. Cohorts simplify queries in the other usage tools (Users, Sessions, Events, and User Flows).
How does Azure Monitor deliver VM Insights?
Monitors the health and performance of Windows or Linux Azure VMs, Azure VMSS, and Azure Arc–enabled VMs located on-premises or in other cloud environments.
How does Azure Monitor deliver Container Insights?
Container Insights
You can use this to monitor the performance and health of containers deployed in the following:
- Azure Kubernetes Service
- Azure Container Instance
- Self-managed Kubernetes clusters (which may be hosted in Azure, on Azure Stack, or on-premises)
- Azure Red Hat OpenShift
- Arc-enabled Kubernetes clusters
How does Azure Monitor deliver Network Insights?
Network Insights
This provides visualizations of the health and metrics of deployed network components. It offers three views in three different tabs:
Network Health - shows the health of networking components and their dependencies. It also shows any alerts raised for network components.
Connectivity - shows connectivity tests configured in the Network Watcher Connection Monitor as well as any alerts associated with these connectivity tests.
Traffic - shows all network security groups (NSGs) that have been configured for NSG flow logs and Traffic Analytics in the selected subscription grouped by which-ever region you select. This tab also shows Traffic Analytics alerts
What is Azure Network Watcher?
Azure Network Watcher is a comprehensive set of network-monitoring and diagnostics tools. It provides a number of visualization, monitoring, diagnostics, and alerting capabilities.
Topology - depicts the topology of the network in a resource group or of a specific virtual network.
Connection monitor - enables you to create network tests and to monitor network connections. It also enables you to raise alerts for detected network issues, based on network tests you create:
Test group - create a group of tests for a specific pair of sources and destinations.
*Alerts *- configure alerts for a connection monitor. Creating an alert in this context is similar to creating or attaching an action group, as described in the preceding section.**
IP Flow Verify - test and verify inbound and outbound TCP/UDP connections for a VM for a targeted IP address. The IP address can be local or external.
NSG Diagnostics - can help you understand and debug the network’s security configuration. It identifies all NSGs that will be evaluated for a given source–destination pair. Based on this, it determines which rule, within each NSG, will be applied, and the final allow/deny status for the flow.
Next Hop - identifies the next hop for traffic from a specified VM to a specific destination IP. This helps in testing scenarios in which you want the traffic from a VM to hop to a specific appliance before it goes to any destination.
VPN Troubleshoot - diagnoses issues with virtual network gateway and VPN connections. Be aware that once it begins, it takes some time to detect and report the results.
Packet Capture - captures packets for a VM. You can configure the packet capture (.cap) file to be stored in Azure Blob storage, on the VM’s file system, or both.
NSG flow logs - configure NSG flow logs to capture flow logs for an NSG. An Azure Storage account is required to store Network flow logs.
Traffic Analytics - provides analytics and visualizations for NSG flow logs and other Azure resource’s data. It helps identify traffic hotspots, which in turn can help you to identify areas for optimization. It also provides a drill-through geo-map, which you can use to gain insights into the network traffic across geographies.
