Open In App

Microsoft Azure – Query System Event Log Data Using Azure KQL

Improve
Improve
Like Article
Like
Save
Share
Report

Here in this article, we will find the system event log data of both windows and Linux machines from log analytics data sources using the Kusto Query Language (KQL). System Event Logs that are captured could be retrieved using the KQL event operator. KQL Event operator helps users to troubleshoot Windows or Linux system failures, warnings, and other informational sources. This can be achieved without logging into systems. The data can be accessed and it can be exported from the azure monitor itself.

Pre-requisite: 

  • Log Analytics Workspace Agent Configurations should be enabled to capture the log events.

1. Get all System Event Logs from Select Subscription:

The default KQL Query to find all the System Event Logs from select subscription or subscriptions or a scope:

Event
| where TimeGenerated > ago(1d) and EventLog has "System"

Output:

2. Get all the System Event Log IDs from Select Subscription:

The KQL Query to find all the system event logs IDs from select subscription or subscriptions or a scope:

Event
| where TimeGenerated > ago(1d)
| where EventLog has "System"
| distinct EventID

Output:

3.  Get System Event Logs for  Select Event ID: 

The KQL Query to find the system event logs for the select event ID or for the multiple event IDs.

Example 1: To find the system event logs for the select event id let’s say 7031 from the select scope.

Event
| where TimeGenerated > ago(1d)
| where EventLog has "System"
| where EventID == "7031"

Output:

Example 2:  To find the system event logs for the multiple event id let’s say 7031 and 7000 from the select scope.

Event 
| where TimeGenerated > ago(1d)
| where EventLog has "System"
| where EventID == "7031" or EventID == "7000"

Output:

4. Get Generated Events:

The KQL Log Query to find all the events generated for the select subscription or subscriptions and project only the information of event timestamp, application source in the system, Event Log Type, Event ID, Event Log Description, and Event Generated Resource ID:

Event 
| where TimeGenerated > ago(1d)
| where EventLog has "System" and EventID != ""
| project TimeGenerated, Source, EventLog, EventID, RenderedDescription, _ResourceId

Output:


Last Updated : 31 Mar, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads