Azure Monitor and Diagnostics Explained for AZ-104

Azure Monitor collects two types of data. Metrics are numeric time-series values that resources emit at regular intervals: VM CPU percentage, storage account transaction count, App Service response time. Metrics are stored for up to 93 days and are available near-real-time. Logs are structured records of events: a VM emitting its Windows event log, an NSG emitting flow log records, or your application emitting custom trace messages. Logs are stored in Log Analytics workspaces and retained based on the workspace retention policy.

Diagnostic settings control which metrics and logs a resource sends to which destination. By default, most Azure resources do not automatically send logs anywhere: you must configure diagnostic settings on each resource to route data to a Log Analytics workspace, a storage account, an Event Hub, or a combination. Platform metrics are automatically collected for most services without diagnostic settings, but resource logs require explicit configuration. Missing diagnostic settings is the most common reason monitoring data is unavailable during an incident.

Log Analytics workspaces are the destination for log data and the query engine for analysis. Data from multiple resources and subscriptions can flow into a single workspace, enabling cross-resource queries. Queries use Kusto Query Language (KQL), a readable syntax designed for log analytics. A basic KQL query filters by resource type, time range, and a keyword; more complex queries aggregate, join, and project to answer specific questions about application behavior.

Azure Monitor alerts trigger when a metric or log query result crosses a threshold or matches a condition. Metric alerts are evaluated continuously and fire as soon as the condition is met, typically within a minute. Log search alerts run a KQL query on a schedule and trigger when the result count or value exceeds a threshold. When an alert fires, it triggers an action group: a named set of actions including email notifications, SMS, voice calls, webhook calls, Azure Functions invocations, or ITSM integrations.

Application Insights is the application performance monitoring (APM) layer of Azure Monitor. It instruments your application code to collect traces, exceptions, dependency calls, and custom events. In the Azure portal, Application Insights provides live metrics, failure analysis, request rate and response time trending, and end-to-end distributed tracing across multiple services. For web applications, Application Insights is the difference between knowing your application is slow and knowing exactly which database call is making it slow.

Azure Monitor Workbooks combine metrics, logs, and static text into interactive reports. They are useful for operational dashboards, weekly reliability reviews, and capacity planning documents. Azure Monitor for VMs provides pre-built dashboards for VM performance and dependencies. Activity Log captures all control-plane operations in Azure (who created, modified, or deleted resources) and integrates with alerts so you can detect unauthorized changes.

Metrics: numeric, near-real-time, 93-day retention, no diagnostic settings needed for platform metrics.

Logs: structured events, Log Analytics workspace, KQL queries, configurable retention.

Diagnostic settings: required to route resource logs and metrics to Log Analytics, Storage, or Event Hub.

Metric alert: fires on numeric threshold breach, fast response (within minutes).

Log search alert: KQL query runs on schedule, fires on result condition. Useful for pattern-based detection.

Action group: defines what happens when an alert fires (email, SMS, webhook, function, ITSM).

Application Insights: application-level APM, traces, exceptions, dependencies, distributed tracing.

Activity Log: control-plane audit trail (who did what to which Azure resource). 90-day default retention.