Azure Monitor: Metrics & Logs
You can't manage what you can't measure. Azure Monitor collects two types of data β metrics (numbers) and logs (events). Learn how to configure diagnostic settings, query logs with KQL, and build the monitoring foundation for your Azure environment.
What is Azure Monitor?
Azure Monitor is like the dashboard in your car β it shows you speed, fuel level, engine temperature, and warning lights all in one place.
Every Azure resource generates data about what itβs doing. Azure Monitor collects all that data and gives you two views: metrics (the gauges β CPU percentage, memory usage, request count) and logs (the trip diary β who did what, when, and what happened). Metrics are numbers on a timeline; logs are detailed event records you can search and query.
Metrics vs Logs
| Feature | Metrics | Logs |
|---|---|---|
| Data type | Numeric time-series (e.g., 75% CPU) | Structured event records (e.g., user signed in) |
| Collection | Automatic for most resources | Requires diagnostic settings to be configured |
| Query language | Metrics Explorer (visual charts) | KQL in Log Analytics |
| Latency | Near real-time (1-minute intervals) | Minutes (ingestion delay) |
| Retention | 93 days by default | 30 days to 2 years (configurable per workspace) |
| Cost | Free for platform metrics | Pay per GB ingested |
| Best for | Dashboards, alerts on thresholds | Deep investigation, correlation, compliance |
Platform metrics
Most Azure resources emit platform metrics automatically β no configuration needed. Examples:
| Resource | Common Metrics |
|---|---|
| VM | CPU percentage, available memory, disk IOPS, network in/out |
| Storage Account | Transactions, ingress/egress, availability, latency |
| App Service | HTTP requests, response time, HTTP 5xx errors |
| SQL Database | DTU percentage, storage percentage, deadlocks |
| Load Balancer | Health probe status, byte count, packet count |
You view metrics in Metrics Explorer β select a resource, choose a metric, set a time range, and see a chart. You can pin charts to dashboards and set up alerts.
Exam tip: Metrics are automatic; logs are not
Platform metrics are collected automatically for most Azure resources at no additional cost. Logs, however, require you to configure diagnostic settings to send data to a destination (Log Analytics workspace, Storage account, or Event Hubs). If you havenβt set up diagnostic settings, you have metrics but no logs.
Diagnostic settings
Diagnostic settings control WHERE monitoring data goes. Each resource can have multiple diagnostic settings sending data to different destinations.
| Destination | Use Case |
|---|---|
| Log Analytics workspace | Querying and analysis with KQL, alerting |
| Storage account | Long-term archival, compliance |
| Event Hubs | Streaming to third-party SIEM (Splunk, Sentinel) |
| Partner solution | Datadog, Elastic, and other integrated partners |
What you can send:
- Resource logs (audit events, operations)
- Metrics (for longer retention or cross-resource analysis)
- Activity log (subscription-level events: resource created, role assigned, policy changed)
Real-world: Meridian Financial's monitoring setup
Meridian Financial configures diagnostic settings on every resource:
- All resources send logs and metrics to a central Log Analytics workspace for querying and alerts
- Critical resources (SQL, Key Vault) also send to a storage account for 7-year compliance retention
- Activity log streams to Event Hubs, feeding their SIEM (Microsoft Sentinel) for security analysis
Alex creates an Azure Policy that automatically deploys diagnostic settings on any new resource β ensuring nothing is ever unmonitored.
Querying logs with KQL
Kusto Query Language (KQL) is how you query data in Log Analytics. If you know PowerShell piping, KQL feels familiar β it uses a pipe syntax where each operation feeds into the next.
Basic KQL patterns
Filter rows:
AzureActivity
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE"
| where TimeGenerated > ago(24h)Count and summarise:
AzureMetrics
| where ResourceProvider == "MICROSOFT.COMPUTE"
| summarize AvgCPU = avg(Average) by bin(TimeGenerated, 1h)Find errors:
AppExceptions
| where TimeGenerated > ago(1h)
| project TimeGenerated, ExceptionType, OuterMessage
| order by TimeGenerated descRender a chart:
Perf
| where CounterName == "% Processor Time"
| summarize AvgCPU = avg(CounterValue) by bin(TimeGenerated, 5m), Computer
| render timechartKey KQL operators
| Operator | What It Does |
|---|---|
| where | Filters rows (like SQL WHERE) |
| summarize | Aggregates data (count, avg, sum, max, min) |
| project | Selects specific columns |
| order by | Sorts results |
| ago() | Relative time filter (ago(1h), ago(7d)) |
| bin() | Groups time into intervals |
| render | Creates charts (timechart, barchart, piechart) |
| join | Combines data from two tables |
Exam tip: KQL pipe syntax
KQL uses a pipe (|) syntax similar to PowerShell. Data flows left to right, each operator transforms the result. The table name comes first, then filters, then transformations, then output. The exam tests basic KQL reading comprehension β you need to understand what a query does, not write complex queries from scratch.
Knowledge check
Alex notices that CPU metrics for his VMs show up in Metrics Explorer, but there are no log entries in Log Analytics. What is the most likely reason?
Meridian Financial's compliance team needs to retain all Azure activity logs for 7 years. Which diagnostic setting destination should Alex configure?
Which KQL query correctly counts the number of VM write operations in the last 7 days?
π¬ Video coming soon