Hello, Siberians. Welcome to this lesson on azure logging and monitoring this lesson this part of the seventh Madu off the is it 500 Microsoft Azure Security technologies costs
quick information on water. Recovering in this lesson will start out with a conversation on azure service Health. Well, then, this cost as your monitor and why the Central Security operations in Hajer would discuss the key types of data which metrics activity logs
and resource logs. Let's get right into this.
When we talk about security operations and monitoring, it's very easy to jump right into what we should be doing. But that's not where to start in Hajer. Remember we talked about in the very first money. Security is a shared responsibility, and this also extends to security oppressions. The first place to start with monitoring is getting visibility into monitoring that we're not responsible for. But that could impact us. So, for example, I don't manage down the line storage infrastructure in Hajer. Yet something that could be happening at that level could have an impact on the workload of them running in Hajer. So I need visibility into what is going on on the Microsoft side of things talking about that I just service Elf is a personal lives as your service status touchpad that can give us this type of information. Personalize means. It gives us information from the context of resources and regions that were using in Hajer service elf trucks, four types off elf events and I lights this to us. So, for example, it tracks service issues which problems in azure services
that could be affecting us again. Based on what we're using. It tracks planned maintenance, work up commandment tenants that could affect the availability of our services in the future. It tracks elf advisories changes in as your services that could require our attention. So maybe there's a feature that we're currently using
that's gonna be deprecate ID, and it also tracks security advisories on is a security related notifications. For example,
if we use in the service that we've configured in a way that is known to be exploited, this gonna letters to that. The great thing about service health is that we can configure proactive notifications for this, and I'll show you how to do this when we get a demonstration parts
in terms off our responsibility for monitoring our services as John Monitor is critical to that. As your monitor is the Central service for Collecting and Analyzing telemetry in Hajer. As your monitor collects two fundamental types of data we have metrics and logs. Metric tells us our resource is performing on locks. Contains times, time to records that shows administrative and operational events. Now the diagram there you're looking at on the screen
gives a I live of you off as your monitor
100 left us Aussies off monitoring data That's the has your platform itself, operating system and even custom sauces at the center of the diagram at the data stores for metrics and logs on on the right at the functions that, as your monitor performs
with this collected data on die, includes functions like analyses a Lattin on Evan, streaming
toe external systems so you can see that as your monitor is a very comprehensive service. There is no monitoring without data, and car monitoring in Azure consists off some key data types, so we have metrics. We have activity logs on. We have resource locks. If you can understand this tree monitoring in azure
would be very clear to you. Let's go have a look
at these in details. The first stop is metrics. Metrics are defined as numerical values that describe some aspect of a system at a point in time. But what does that mean?
Would primarily mean elf and performance data off a jury sauces that are mediated by the azure platform into as your monitor.
So how do we enable metrics the goofiness? We don't need to do anything to enable it the enabled by the fault. Once we create on a Java source that support metrics, this that is collected by the azure platform and sent into azure monitor. Our phone is the data sense metrics. I meet it
every minute for most a Java sauces,
the few metrics that I admitted every five minutes. But for most of the metrics day, I meted every minute. So where metric start on for how long that the retained metrics are stored in the metrics that just offers your monitor. Like what we saw in the diagram Haley on the every 10 for 93 days,
free off charge. If you want to keep metrics for longer than 93 days,
we can export its to 1/3 party service or even to another block storage. So what can we do with this data? Once it's in *** Monitor, we can analyze and visualize data using a free to called metrics Explorer.
We can visualize that using as your monitor what books, which is also free. We can configure lots using a metrics, a lateral.
There's a cost associated with a lot. We can use this data as a tree gaffe for automated events like auto scaling. So, for example, if the CPU metrics of an APP service exits the 80% trey showed, we can automatically tree guys kill out event. And also we can export metrics
to log analytics workspace for events, correlation and for the analysis. So let's go have a look at activity logs. Activity logs
is a platform log in azure that provide insight into subscription level events. So, for example, when a resource is modified, let's a virtual machine is started as a configuration has changed on an idea of the sauce. This information are loved in activity locks. How do we air naval activity locks
like metrics? It's enabled by the fault. Whenever there's an administrative level event operation,
this is locked. Can we modify activity locks? No. Their system generated. They cannot be changed. They cannot be deleted, Which is good from a security perspective. When we're doing our forensics, how long are the retained activity? Logs are retained for 90 days free of charge. On if you want to keep it for longer.
We can exports to talk about a service for longer retention or even
export eat to an azure blob storage. So what can we do with activity logs? Data we can view query and few to them is in the activity logged. Many We can a lot on them using an activity log a lateral in *** monitor. There is a cost associated with this. We can use activity logs as a tree gaffe for automated events.
to lug analytics workspace for events. Correlation on for further analysis. So let's have a look at resource locks. So for suss, logs are locks generated by azure resources themselves. In some cases, their refers to as diagnostic lugs.
And what I do is they provide insight into operations performed. Would Dean and Azure resource all the other types of data that we've talked about
come from the other platform themselves. Resource locks, on the other hand, comes from within the resource itself. The content off resource logs varies by the adjust cities and the sauce types. So, for example, the results locks that will be a meted by, let's say, a key vote
a bit different from the results. Locks that would be a meted by a service boss
are as your content of registry, so it results as its own different set off resource locks that air meets once enabled on like metrics and activity logs. Resource logs are not collected by default. However, we can Gradin and never results locks whenever we wants to start collecting them.
The method of collection may very depending on the results type. So for platform services that are managed by Microsoft,
we can configure the diagnostic setting to start collecting resource locks so services like storage account and content of registry for services like veteran machines and veteran mission skill set, we can install on agent on those resources to start collecting resource level locks.
So when we starts to collect resource logs, where can we start in?
We have three options for were to send the locks, we can send them to a Log Analytics workspace. We can send them to an event up, or we can send them to on I just storage account on their different use cases for this different options.
For example, the event obvious. Mendy used to stream the sauce logs in tow extra now monitoring solutions like Todd Party Siem Solutions. The menus case for the storage account is toe archive. Vast amount off telemetry information for reflection off the price. This is mainly for the archive. In just case. Whenever we configure to send the source locks, restore it accounts,
we can also come figure out of attention PVR at the point of configuration. The menus case for Log Analytics is for Event Correlation and for the analysis on the retention period is not something we specify at a point off configuration. Instead, it's something that, based on the configuration in Log analytics itself, so, for example, Logan and exploit, the fault retains data for free forte. Today's, however, we can extend that up to two years. Here's some supplemental links for further studies on the topics covered in this lesson on Here's a summary of what we covered.
We started with a conversation on azure service. Health wouldn't discussed as your monitor on white Central to security a pressures but discussed different types of data talking about metrics,
activity logs and fish sauce locks. Thanks very much for watching on. I'll see you in the next lesson.