Diagnostic Events for Azure Backup users
This article describes how to use diagnostics settings for Recovery Services vaults and Backup vaults for Azure Backup.
Azure Backup sends diagnostics events that can be collected and used for the purposes of analysis, alerting, and reporting.
You can configure diagnostics settings for a Recovery Services vault via the Azure portal by going to the vault and selecting Diagnostics settings. Selecting + Add Diagnostic Setting lets you send one or more diagnostic events to a storage account, an event hub, or a Log Analytics workspace.
Note
Recovery Services vaults can send diagnostic logs to a storage account located in the same region. They can also send these logs to a Log Analytics workspace that may be situated in either the same or a different region.
Diagnostics events available for Azure Backup users
Azure Backup provides the following diagnostics events. Each event provides detailed data on a specific set of backup-related artifacts:
- Core Azure Backup Data
- Addon Azure Backup Job Data
- Addon Azure Backup Policy Data
- Addon Azure Backup Storage Data
- Addon Azure Backup Protected Instance Data
- Azure Backup Operations
If you are still using the legacy event Azure Backup Reporting Data, we recommend switching to using the events above.
For more information, see Data model for Azure Backup diagnostics events.
Data for these events can be sent to either a storage account, a Log Analytics workspace, or an event hub. The storage account needs to be in the same region as the Recovery Services vaults. However, the Log Analytics workspace can be in a different region. If you're sending this data to a Log Analytics workspace, select the Resource specific toggle on the Diagnostics settings screen. For more information, see the following sections.
Use diagnostics settings with Log Analytics
You can now use Azure Backup to send vault diagnostics data to dedicated Log Analytics tables for backup. These tables are called resource-specific tables.
To send your vault diagnostics data to Log Analytics:
Choose a vault type:
Go to your vault, and select Diagnostic Settings > + Add diagnostic setting.
Provide a name to the Diagnostics setting name.
Select the Send to Log Analytics checkbox, and select a Log Analytics workspace.
Select Resource specific and select the following six events: Core Azure Backup Data, Addon Azure Backup Job Data, Addon Azure Backup Policy Data, and Addon Azure Backup Protected Instance Data, Azure Backup Operations.
Select Save.
After data flows into the Log Analytics workspace, dedicated tables for each of these events are created in your workspace. You can query any of these tables directly. You can also perform joins or unions between these tables if necessary.
Important
Addon Azure Backup Alerts refers to the alerts being generated by the classic alerts solution. As classic alerts solution is on deprecation path in favour of Azure Monitor-based alerts, we recommend you not to select the event Addon Azure Backup Alerts when configuring diagnostics settings. To send the fired Azure Monitor-based alerts to a destination of your choice, you can create an alert processing rule and action group that routes these alerts to a logic app, webhook, or runbook that in turn sends these alerts to the required destination.
For Recovery Services vault, the six events- Core Azure Backup, Addon Azure Backup Jobs, Addon Azure Backup Policy, Addon Azure Backup Storage, Azure Backup Operations, and Addon Azure Backup Protected Instance are supported only in the resource-specific mode for Recovery Services in Backup reports. If you try to send data for these events in the Azure diagnostics mode, no data will appear in Backup reports.
For Backup vaults, since information on the frontend size and backup storage consumed are already included in the Core Azure Backup and Addon Azure Backup Protected Instances events (to aid query performance), the Addon Azure Backup Storage event isn't applicable for Backup vault, to avoid creation of redundant tables.
Legacy event
Traditionally, for Recovery Services vaults, all backup-related diagnostics data for a vault was contained in a single event called Azure Backup Reporting Data. The six events described here are, in essence, a decomposition of all the data contained in Azure Backup Reporting Data.
Currently, we continue to support the Azure Backup Reporting Data event for Recovery Services vaults, backward compatibility in cases where you've existing custom queries on this event. For example, custom log alerts and custom visualizations. We recommend that you move to the new events as early as possible. The new events:
- Make the data much easier to work with in log queries.
- Provide better discoverability of schemas and their structure.
- Improve performance across both ingestion latency and query times.
The legacy event in Azure diagnostics mode will eventually be deprecated. Choosing the new events can help you avoid complex migrations later. Our Log Analytics-based reporting solution will also cease support for data from the legacy event.
Note
For Backup vaults, all diagnostics events are sent to the resource-specific tables only; so, you don't need to do any migration for Backup vaults. The preceding section is specific to Recovery services vaults.
Steps to move to new diagnostics settings for a Log Analytics workspace
Identify which vaults are sending data to the Log Analytics workspaces by using the legacy event and the subscriptions they belong to. Run the following query in each of your workspaces to identify these vaults and subscriptions.
let RangeStart = startofday(ago(3d)); let VaultUnderAzureDiagnostics = (){ AzureDiagnostics | where TimeGenerated >= RangeStart | where Category == "AzureBackupReport" and OperationName == "Vault" and SchemaVersion_s == "V2" | summarize arg_max(TimeGenerated, *) by ResourceId | project ResourceId, Category}; let VaultUnderResourceSpecific = (){ CoreAzureBackup | where TimeGenerated >= RangeStart | where OperationName == "Vault" | summarize arg_max(TimeGenerated, *) by ResourceId | project ResourceId, Category}; // Some Workspaces will not have AzureDiagnostics Table, so you need to use isFuzzy let CombinedVaultTable = (){ union isfuzzy = true (VaultUnderAzureDiagnostics() ), (VaultUnderResourceSpecific() ) | distinct ResourceId, Category}; CombinedVaultTable | where Category == "AzureBackupReport" | join kind = leftanti ( CombinedVaultTable | where Category == "CoreAzureBackup" ) on ResourceId | parse ResourceId with * "SUBSCRIPTIONS/" SubscriptionId:string "/RESOURCEGROUPS" * "MICROSOFT.RECOVERYSERVICES/VAULTS/" VaultName:string | project ResourceId, SubscriptionId, VaultName
The following screenshot shows the query being run in one of the workspaces:
Use the built-in Azure Policy definitions in Azure Backup to add a new diagnostics setting for all vaults in a specified scope. This policy adds a new diagnostics setting to vaults that either don't have a diagnostics setting or have only a legacy diagnostics setting. This policy can be assigned to an entire subscription or resource group at a time. You must have Owner access to each subscription for which the policy is assigned.
You might choose to have separate diagnostics settings for Azure Backup Report and the six new events until you've migrated all of your custom queries to use data from the new tables. The following image shows an example of a vault that has two diagnostic settings. The first setting, named Setting1, sends data of an Azure Backup Report event to a Log Analytics workspace in Azure diagnostics mode. The second setting, named Setting2, sends data of the six new Azure Backup events to a Log Analytics workspace in the resource-specific mode.
Important
The Azure Backup Report event is supported only in Azure diagnostics mode. If you try to send data for this event in the resource-specific mode, no data will flow to the Log Analytics workspace.
Note
The toggle for Azure diagnostics or Resource specific appears only if the user selects Send to Log Analytics. To send data to a storage account or an event hub, a user selects the required destination and selects the check boxes for any of the desired events, without any additional inputs. Again, we recommend that you don't choose the legacy event Azure Backup Reporting Data going forward.