Log Analytics
Introduction
Section titled “Introduction”Azure Log Analytics Workspaces are the primary data store for Azure Monitor log data. They collect, index, and query log and metric data from Azure resources, virtual machines, and custom sources. Log Analytics Workspaces are commonly used as the central destination for diagnostic settings, Azure Monitor agents, and security audit logs in enterprise monitoring architectures. For more information, see Log Analytics workspace overview.
LocalStack for Azure provides a local environment for building and testing applications that make use of Azure Log Analytics Workspaces. The supported APIs are available on our API Coverage section, which provides information on the extent of Log Analytics’ integration with LocalStack.
Getting started
Section titled “Getting started”This guide walks you through creating a Log Analytics Workspace, retrieving its shared keys, and deleting the workspace.
Launch LocalStack using your preferred method. For more information, see Introduction to LocalStack for Azure. Once the container is running, enable Azure CLI interception by running:
azlocal start-interceptionThis command points the az CLI away from the public Azure management REST API and toward the LocalStack for Azure emulator API.
To revert this configuration, run:
azlocal stop-interceptionThis reconfigures the az CLI to send commands to the official Azure management REST API.
Create a resource group
Section titled “Create a resource group”Create a resource group to hold all resources created in this guide:
az group create --name rg-laws-demo --location westeurope{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-laws-demo", "location": "eastus", "name": "rg-laws-demo", "properties": { "provisioningState": "Succeeded" }, "type": "Microsoft.Resources/resourceGroups"}Create a Log Analytics Workspace
Section titled “Create a Log Analytics Workspace”Create a Log Analytics workspace with a 30-day data retention period:
az monitor log-analytics workspace create \ --name my-workspace \ --resource-group rg-laws-demo \ --location westeurope{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-laws-demo/providers/Microsoft.OperationalInsights/workspaces/my-workspace", "location": "eastus", "name": "my-workspace", "provisioningState": "Succeeded", "resourceGroup": "rg-laws-demo", "retentionInDays": 30, "sku": { "name": "PerGB2018" }, "type": "Microsoft.OperationalInsights/workspaces", ...}Retrieve workspace shared keys
Section titled “Retrieve workspace shared keys”Retrieve the primary and secondary shared keys used to send logs directly to the workspace:
az monitor log-analytics workspace get-shared-keys \ --workspace-name my-workspace \ --resource-group rg-laws-demo{ "primarySharedKey": "466ea8d8-cdb5-4cca-a1fc-52589bc6656f", "secondarySharedKey": "92b87aac-a029-4c98-b992-4d36a52eb2a5"}List workspaces
Section titled “List workspaces”List all Log Analytics workspaces in the resource group:
Then list all workspaces to confirm the resource group is now empty:
az monitor log-analytics workspace list \ --resource-group rg-laws-demo[ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-laws-demo/providers/Microsoft.OperationalInsights/workspaces/my-workspace", "location": "eastus", "name": "my-workspace", "provisioningState": "Succeeded", "resourceGroup": "rg-laws-demo", "type": "Microsoft.OperationalInsights/workspaces" }]Show a workspace
Section titled “Show a workspace”Retrieve the full details of the workspace, including its unique customer ID:
az monitor log-analytics workspace show \ --workspace-name my-workspace \ --resource-group rg-laws-demo{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-laws-demo/providers/Microsoft.OperationalInsights/workspaces/my-workspace", "location": "eastus", "name": "my-workspace", "provisioningState": "Succeeded", "resourceGroup": "rg-laws-demo", "retentionInDays": 30, "sku": { "name": "PerGB2018" }, "type": "Microsoft.OperationalInsights/workspaces"...}Delete and verify
Section titled “Delete and verify”Delete the resource and confirm it no longer appears in the list:
az monitor log-analytics workspace delete \ --workspace-name my-workspace \ --resource-group rg-laws-demo \ --yesThen list all workspaces to confirm the resource group is now empty:
az monitor log-analytics workspace list \ --resource-group rg-laws-demo[]Features
Section titled “Features”- Workspace lifecycle: Create, read, list, update, and delete Log Analytics Workspaces.
- Shared key retrieval: Retrieve primary and secondary shared keys via
get-shared-keys. - SKU configuration: Accept
PerGB2018,Free,Standard,Premium,PerNode, andStandaloneSKUs. - Retention configuration: Configure log retention period in days.
- Activity Logs: Activity log events generated by LocalStack operations are fully emulated and queryable via the Activity Log API.
Limitations
Section titled “Limitations”- No log ingestion: Data sent to the Log Analytics HTTP Data Collector API is not stored.
- No KQL query execution: Running
az monitor log-analytics queryis not supported. - No table or schema management: Custom tables, table schemas, and retention policies per table are not managed.
- No saved searches: Saved queries and search functions are not supported.
- No linked services: Linking Automation accounts or Security Center to a workspace is not emulated.
- No Azure Sentinel / Microsoft Defender: Security information and event management (SIEM) features are not emulated.
Samples
Section titled “Samples”The following sample demonstrates how to use Azure Log Analytics with LocalStack for Azure:
API Coverage
Section titled “API Coverage”| Operation ▲ | Implemented ▼ |
|---|