Overview
Azure monitoring and logging solutions provide visibility into the health, performance, and security of cloud infrastructure. They enable proactive issue detection, troubleshooting, and compliance.
Azure MonitorThe primary platform for collecting, analyzing, and acting on metrics and logs from Azure resources. Serves as the unified hub for all monitoring data.Log Analytics WorkspaceThe central repository for all log data in Azure Monitor. Stores logs from agents, services, and applications; supports Kusto Query Language (KQL) for querying and integrates with Microsoft Sentinel.Application InsightsAn APM (Application Performance Monitoring) feature of Azure Monitor that tracks distributed traces, dependency calls, exceptions, and custom telemetry from application code.Kusto Query Language (KQL)The query language used to interrogate Log Analytics workspaces. Supports powerful aggregations, joins, and time-series analysis for log investigation.Architecture Patterns
Single Centralized Workspace (recommended for most organizations)
- One Log Analytics workspace for all operational data
- Simplifies correlation, RBAC, and pricing
- Cost-effective with unified commitment tiers
Multi-Workspace Strategy (for specific scenarios)
- Separate workspaces for compliance isolation (PCI, HIPAA)
- Regional separation for data residency requirements
- Multi-tenant scenarios requiring billing separation
Log Routing Destinations
- Event Hubs — Real-time streaming to external SIEM (Splunk, ArcSight)
- Storage Accounts — Long-term archive with continuous export
- Azure Data Explorer — High-volume analytics and performance analysis
Pricing Tiers
| Tier | Best For |
|---|---|
| Pay-as-you-go | Unpredictable or low-volume ingestion |
| Commitment Tiers (100 GB–1 TB/day) | Predictable high-volume; 30–50% savings |
| Dedicated Clusters | Organizations ingesting >1 TB/day |
| Basic Logs | High-volume diagnostic data with infrequent queries |
Retention Strategy
- Interactive retention: 31 days default (90 for Sentinel), fully queryable
- Long-term retention (archive): Up to 12 years at lower cost; accessed via search jobs
- Purge policies: Remove personal/sensitive data for compliance
Monitoring Solution Patterns
Metrics vs. Logs
| Characteristic | Metrics | Logs |
|---|---|---|
| Data type | Numerical time-series | Structured event records |
| Latency | Near real-time (1 min) | Minutes (ingestion delay) |
| Storage | Compact, 93-day retention | Log Analytics workspace |
| Use case | Operational alerts, dashboards | Forensic analysis, audit trails |
| Cost | Lower | Higher per GB |
Recommended Hybrid Approach
- Use metrics for real-time operational alerts (fast response, lower cost)
- Use logs for root-cause investigation and compliance audit trails
- Use Application Insights for end-to-end distributed tracing
Data Collection Scope
- Application logs (Application Insights SDK or built-in)
- Infrastructure metrics (CPU, memory, network, disk via Azure Monitor Agent)
- Security events (activity logs, resource logs, audit logs)
- Custom metrics from applications (via OpenTelemetry or SDK)
Mermaid: Monitoring Architecture
Alert Rule Design
- Metric alerts — Threshold-based (CPU > 80%), low latency, best for infrastructure
- Log alerts — KQL-based queries, richer logic, best for complex conditions
- Activity log alerts — Trigger on administrative events (policy changes, role assignments)
- Smart detection — Application Insights auto-detects anomalies in failure rates and latency
Hands-On: Create and Configure Log Analytics Workspace
Step 1: Create Log Analytics Workspace
- Navigate to Azure Monitor > Log Analytics workspaces
- Click Create and enter workspace name, subscription, resource group, location
- Select pricing tier: Pay-as-you-go or Commitment tier (e.g., 100 GB/day)
- Configure Data retention: Default 31 days (adjust for compliance)
- Review and create workspace
Step 2: Configure Diagnostic Settings on a Resource
- Open any Azure resource (e.g., App Service, SQL Database)
- Go to Monitoring > Diagnostic settings
- Click Add diagnostic setting and name it
- Select log categories and metrics to collect
- Choose destination: Send to Log Analytics workspace
- Save — data flows immediately
Step 3: Create Alert Rule
- In Azure Monitor, go to Alerts > Alert rules
- Click Create alert rule
- Define signal: e.g., CPU percentage > 80% (metric) or KQL query (log)
- Set scope, threshold, evaluation frequency
- Add action group (email, SMS, webhook)
- Review and create
Step 4: Query Logs with KQL
- Open Log Analytics workspace > Logs blade
- Write KQL query:
AzureActivity | where ResourceGroup == "my-rg" | summarize count() by OperationName - Click Run to execute query
- Pin results to dashboard or export as needed
AZ-305 Exam Focus
AZ-305 tests your ability to select the right monitoring architecture for business and compliance scenarios. You will not be asked to write KQL — you will be asked to choose between services, tiers, and workspace strategies.
Exam Trap
Confusing Metrics and Logs: Both collect monitoring data but serve different purposes. Metrics are numerical time-series optimized for alerting; logs are structured events optimized for forensic investigation. Choose metrics for real-time alerts, logs for investigation.
Exam Trap
Single Workspace Always Best: One workspace is NOT always the right answer. Multi-workspace is architecturally required for compliance isolation (PCI, HIPAA), data residency requirements, or multi-tenant billing separation.
Exam Trap
Event Hubs as Permanent Storage: Event Hubs are a real-time streaming bus — data is lost if not consumed. They are used to stream logs to SIEM tools, not as backup or archive. Use Storage Accounts for archive.
Exam Trap
All Logs Are Searchable: Basic Logs tier reduces ingestion cost but limits query frequency and features. Use Basic Logs only for high-volume diagnostic data that you rarely need to query.
Exam Tip
Cost Optimization Pattern: For predictable high-volume ingestion (≥100 GB/day), recommend a Commitment Tier. For data older than 31 days that's rarely accessed, recommend archive tier (long-term retention). Combine both for compliance + cost.
Must Memorize
Workspace Separation Triggers: Require separate workspaces when: (1) compliance frameworks mandate data isolation, (2) data residency laws require regional separation, (3) multi-tenant billing must be separated.
Question — click to flip
Q: What is the difference between Azure Monitor Metrics and Logs?
Question — click to flip
Q: When should you use multiple Log Analytics workspaces instead of one?
Question — click to flip
Q: What is the purpose of Event Hubs in a monitoring architecture?
Question — click to flip
Q: How does long-term retention (archive) in Log Analytics reduce costs?
Question — click to flip
Q: What is Application Insights and how does it differ from Log Analytics?
Question — click to flip
Q: What commitment tier should you recommend for an organization ingesting 500 GB/day?