Azure Log Analytics Workspace is the logical storage unit where log data is collected and stored. It can be considered as the basic management unit of Azure Monitor Logs. It is used to collect data from various sources such as Azure Virtual Machines, Windows or Linux Virtual Machines, Azure Resources in a subscription, etc. This blog will brief you on what is an Azure Log Analytics Workspace and how to manage it.
What is Azure Log Analytics Workspace?
We may have different resources under different subscriptions and various Azure Monitors to monitor them. But where are the data collected from those monitors stored? The answer is Azure Log Analytics Workspace. An Azure Log Analytics Workspace is a logical storage unit in Azure where all log data generated by Azure Monitors are stored. Azure Log Analytics Workspace makes it easier for us to manage the log data that is collected from various data sources like Azure Virtual Machines.
Need for Azure Log Analytics Workspace
A Log Analytics workspace can be considered as the basic management unit of Azure Monitor Logs. All data collected from monitors need a place to be stored and managed. Log Analytics Workspace acts as a logical storage unit where you can easily store, retain, and query data collected from various resources that have been monitored in Azure to provide valuable insights for those resources.
Create a Log Analytics Workspace
In the Azure Portal, click All Services and select Monitors from the list of services displayed. Once you click Monitors a group of resources under monitors will be displayed. Select Log Analytics Workspace from the group of resources displayed.
Once you click Log Analytics Workspace, a list of previously configured Workspaces will be displayed. Click Add to create a new Log Analytics Workspace.
Now provide the following values to create a new Workspace
- Select a Subscription from the list of subscriptions provided
- Select a Resource Group from the list of resource groups provided or create a new resource group
- Provide a name for the Log Analytics Workspace. The provided name must be globally unique across all Azure Monitor subscriptions
- Select an available Location
- Since the Pricing has been updated for Log Analytics Workspace after April 2 2018, only the Pay-as-you-go (Per GB 2018)plan will be available under the Pricing Tier. After providing the required information click
Delete an Azure Log Analytics Workspace
Two types of delete operations can be performed on Azure Log Analytics Workspace. They are
- Soft Delete
- Permanent Delete
When you try to delete a Log Analytics Workspace, by default, the soft delete operation is performed. This delete operation gives you an option to recover the Log Analytics Workspace within 14 days. While performing a soft delete operation the resources whose log data is being collected in the workspace remain in an orphaned state for the soft delete period. Once these 14 days are over, the workspace becomes non-recoverable and all its data will be permanently deleted within 30 days. After the 30 days, the workspace name is released and is available for reuse.
There may be some situations in which you need to permanently delete the Log Analytics Workspace. In such situations, you can use permanent delete to override the soft delete operation. The permanent delete operation deletes the workspace and all related data immediately and releases the workspace name for reuse.
Recover a Log Analytics Workspace
The recovery of a Log Analytics Workspace is possible only if the workspace has been deleted using soft delete operation. If you have contributor permission to the subscription and resource group in which the log analytics workspace was created, then you can recover the Log Analytics Workspace during the soft delete period. You can recover a Log Analytics Workspace by creating the workspace with the same details of the deleted workspace which include Workspace Name, Region, Resource Group Name, and Subscription Name.
Steps to delete a Log Analytics Workspace
You must at least have Log Analytics Contributor permission to delete a Log Analytics Workspace.
- Select the Azure Log Analytics Workspace you want to delete.
- On the top of the middle pane, you will be able to see a Delete option.
- Once you select the delete option a confirmation message appears prompting you to confirm the delete operation. Click Yes to delete the selected Log Analytics Workspace.
Move an Azure Log Analytics Workspace
You can move an Azure Log Analytics Workspace between resource groups and subscriptions you have access to using the following steps
- Select the Log Analytics Workspace you want to move
- In the Overview page, you can see a Change option specified near Resource Group and Subscription
- If you want to change the Resource Group in which the Workspace is present, you can select the change option near Resource Group and select the resource group to which you want to move the Workspace
- If you want to change the Subscription in which the Workspace is present, you can select the change option near Subscription and select the Subscription to which you want to move the Workspace
- Click Ok to move the workspace to the selected Resource Group or Subscription
Access Control to a Log Analytics Workspace
You can view the Access Control Mode on the overview page of the Log Analytics Workspace. There are two types of Access Control Modes for a Log Analytics Workspace. They are
- Use Resource or Workspace Permissions
- Require Workspace Permissions
Use Resource or Workspace Permissions
This access control mode allows granular role-based access control. User can be granted permission to only view log data of resources which are permitted to use this access control mode. When a user accesses the workspace on a Workspace-Context mode, the workspace permissions that have been given to the user will be applied. When a user accesses the workspace on a Resource-Context mode only the resource-based permissions are considered, and the workspace related permissions are ignored for those resources. This is the default access control mode for Log Analytics Workspaces.
Require Workspace Permission
This access control mode does not allow granular role-based access control. For a user to access the workspace, they must have permission to the workspace or specific tables in the workspace. If a user enters the workspace in a Workspace-Context mode, the user has access to all the tables and data in the workspace. If the user enters the workspace in a Resource-Context mode, they will have access only to the data for the resource in any table they have been granted access to.
Change Access Control Mode for Log Analytics Workspace
You can change the Access Control Model for the Log Analytics Workspace in the Properties section of the Log Analytics Workspace.
- Go to the Properties section of the Log Analytics Workspace
- You can see the current access control mode with a Click to Change Option. (This option will be disabled if the user does not have permission to change the access control mode)
- Click the current access mode to switch between the two available access control modes.
Log Analytics Workspace facilitates an assured monitoring service to fulfill the monitoring needs of the user. I Hope, this blog helps you to understand what an Azure Log Analytics Workspace is and how to manage it.