Activity Log Alerts in Azure

0
votes

I have created an Activity Log Alert in Azure that does a custom log search against an Application Insights instance. The alert is working and action groups is notified through the channels I have set up. The problem I'm having is to create that alert in the arm template we are using to deploy the resources.

When looking at the automation script in the portal the alerts are left out and is not visible. (microsoft.insights/scheduledqueryrules) I can't find any information online on how to write the condition in the template so it works with a custom log search.

Any suggestions where to find info on how to write the condition or how to extract the template from the portal for those alerts.

2
azureazure-resource-managerarm-template
I could find the alerts at the automation script on portal at my side.But I'm not sure how to write the condition, you could refer to this article.Joy Wang-MSFT
Can you see alerts of type scheduledqueryrules?Jonas K
For some reason scheduled queries are not always visible after you create them (doesn't matter if this is via ARM or by hand). They also don't show up in resource.azure.com. You can create them by ARM though. I will add an answer for the ARM part.Jorn Theunissen

2 Answers

2
votes

This is an ARM template part that creates an alert with a scheduled query. It also adds an array of action groups that get notified when the alert is triggered:

{
  "name": "[parameters('scheduleQueryMonitorApplicationError')]",
  "type": "microsoft.insights/scheduledqueryrules",
  "apiVersion": "2018-04-16",
  "location": "[resourceGroup().location]",
  "tags": {
    "[concat('hidden-link:', resourceGroup().id, '/resourceGroups/', parameters('resourceGroupName'), '/providers/microsoft.insights/components/', parameters('applicationInsightsName'))]": "Resource"
  },
  "properties": {
    "description": "[parameters('scheduleQueryMonitorApplicationError')]",
    "enabled": "true",
    "source": {
      "query": "traces | where severityLevel == 3",
      "queryType": "ResultCount",
      "dataSourceId": "[resourceId('microsoft.insights/components', parameters('applicationInsightsName'))]"
    },
    "schedule": {
      "frequencyInMinutes": 5,
      "timeWindowInMinutes": 5
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "3",
      "aznsAction": {
        "actionGroup": "[array( resourceId('microsoft.insights/actiongroups', parameters('actionGroupName')) )]"
      },
      "trigger": {
        "threshold": 1,
        "thresholdOperator": "GreaterThan"
      }
    }
  },
  "dependsOn": [
    "[resourceId('microsoft.insights/components', parameters('applicationInsightsName'))]"
  ]
},
0
votes

Please see this stackoverflow thread, where a similar question was asked. Elfocrash mentions that he wrote a blog post about that, explaining how it works. I tried his method and it works.