Skip to content
Related Articles

Related Articles

Microsoft Azure – Query System Event Log Data Using Azure KQL

View Discussion
Improve Article
Save Article
Like Article
  • Last Updated : 21 Mar, 2022

Here in this article, we will find the system event log data of both windows and Linux machines from log analytics data sources using the Kusto Query Language (KQL). System Event Logs that are captured could be retrieved using the KQL event operator. KQL Event operator helps users to troubleshoot Windows or Linux system failures, warnings, and other informational sources. This can be achieved without logging into systems. The data can be accessed and it can be exported from the azure monitor itself.

Pre-requisite: 

  • Log Analytics Workspace Agent Configurations should be enabled to capture the log events.

1. Get all System Event Logs from Select Subscription:

The default KQL Query to find all the System Event Logs from select subscription or subscriptions or a scope:

Event
| where TimeGenerated > ago(1d) and EventLog has "System"

Output:

2. Get all the System Event Log IDs from Select Subscription:

The KQL Query to find all the system event logs IDs from select subscription or subscriptions or a scope:

Event
| where TimeGenerated > ago(1d)
| where EventLog has "System"
| distinct EventID

Output:

3.  Get System Event Logs for  Select Event ID: 

The KQL Query to find the system event logs for the select event ID or for the multiple event IDs.

Example 1: To find the system event logs for the select event id let’s say 7031 from the select scope.

Event
| where TimeGenerated > ago(1d)
| where EventLog has "System"
| where EventID == "7031"

Output:

Example 2:  To find the system event logs for the multiple event id let’s say 7031 and 7000 from the select scope.

Event 
| where TimeGenerated > ago(1d)
| where EventLog has "System"
| where EventID == "7031" or EventID == "7000"

Output:

4. Get Generated Events:

The KQL Log Query to find all the events generated for the select subscription or subscriptions and project only the information of event timestamp, application source in the system, Event Log Type, Event ID, Event Log Description, and Event Generated Resource ID:

Event 
| where TimeGenerated > ago(1d)
| where EventLog has "System" and EventID != ""
| project TimeGenerated, Source, EventLog, EventID, RenderedDescription, _ResourceId

Output:

My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!