{
	"id": "dfff2637-4bcf-46ef-8df9-f206f5dcecfd",
	"created_at": "2026-04-06T01:29:01.851279Z",
	"updated_at": "2026-04-10T03:22:00.975036Z",
	"deleted_at": null,
	"sha1_hash": "d50e6bf7af59645c9eda5ae25ca7f28296423861",
	"title": "Azure Monitor Logs in Azure Backup - Azure Backup",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 473346,
	"plain_text": "Azure Monitor Logs in Azure Backup - Azure Backup\r\nBy AbhishekMallick-MS\r\nArchived: 2026-04-06 00:46:54 UTC\r\nAzure Backup provides built-in monitoring and alerting capabilities in a Recovery Services vault. These\r\ncapabilities are available without any extra management infrastructure. The only prerequisite for this capability is\r\nto have Log Analytics workspace configured. This feature is supported in the following scenarios:\r\nMonitoring data from multiple Recovery Services vaults across Subscriptions\r\nVisibility into custom scenarios\r\nConfiguring alerts for custom scenarios\r\nViewing information from an on-premises component. For example, System Center Data Protection\r\nManager information in Azure, which the portal doesn't show in Backup Jobs or Backup Alerts\r\nBefore you use Log Analytics for monitoring, consider the following prerequisites:\r\nEnsure that you have a Log Analytics workspace set up. If not available, create one.\r\nConfigure Diagnostic Settings to push data to Log Analytics.\r\nConfigure the retention of the tables or the Log Analytics workspace based on the desired historical\r\nretention.\r\nIn Azure Monitor, you can create your own alerts in a Log Analytics workspace. In the workspace, you use Azure\r\naction groups to select your preferred notification mechanism.\r\nOpen the Logs section of the Log Analytics workspace and create a query for your own Logs. When you select\r\nNew Alert Rule, the Azure Monitor alert-creation page opens, as shown in the following image.\r\nHere, the resource is already marked as the Log Analytics workspace, and action group integration is provided.\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 1 of 9\n\nThe defining characteristic of an alert is its triggering condition. Select Condition to automatically load the Kusto\r\nquery on the Logs page as shown in the following image. Here you can edit the condition to suit your needs. For\r\nmore information, see Sample Kusto queries.\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 2 of 9\n\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 3 of 9\n\nIf necessary, you can edit the Kusto query. Choose a threshold, period, and frequency. The threshold determines\r\nwhen the alert is raised. The period is the window of time in which the query is run. For example, if the threshold\r\nis greater than 0, the period is 5 minutes, and the frequency is 5 minutes, then the rule runs the query every 5\r\nminutes, reviewing the previous 5 minutes. If the number of results is greater than 0, you're notified through the\r\nselected action group.\r\nNote\r\nTo run the alert rule once a day, across all the events/logs that were created on the given day, change the value of\r\nboth 'period' and 'frequency' to 1440, that is, 24 hours.\r\nUse an action group to specify a notification channel. To see the available notification mechanisms, under Action\r\ngroups, select Create New.\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 4 of 9\n\nYou can satisfy all alerting and monitoring requirements from Log Analytics alone, or you can use Log Analytics\r\nto supplement built-in notifications.\r\nFor more information, see Create, view, and manage log alerts by using Azure Monitor and Create and manage\r\naction groups in the Azure portal.\r\nThe default graphs give you Kusto queries for basic scenarios on which you can build alerts. You can also modify\r\nthe queries to fetch the data you want to be alerted on. Paste the following sample Kusto queries on the Logs page,\r\nand then create alerts on the queries.\r\nRecovery Services vaults and Backup vaults send data to a common set of tables that are listed in this article.\r\nHowever, there are slight differences in the schema for Recovery Services vaults and Backup vaults (learn more).\r\nSo, this section is split into multiple subsections that helps you to use the right queries depending on which\r\nworkload or vault types you want to query.\r\nAll successful backup jobs\r\nAddonAzureBackupJobs\r\n| where JobOperation==\"Backup\"\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where JobStatus==\"Completed\"\r\nAll failed backup jobs\r\nAddonAzureBackupJobs\r\n| where JobOperation==\"Backup\"\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where JobStatus==\"Failed\"\r\nAll successful Azure Virtual Machine (VM) backup jobs\r\nAddonAzureBackupJobs\r\n| where JobOperation==\"Backup\"\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where JobStatus==\"Completed\"\r\n| join kind=inner\r\n(\r\n CoreAzureBackup\r\n | where OperationName == \"BackupItem\"\r\n | where BackupItemType==\"VM\" and BackupManagementType==\"IaaSVM\"\r\n | distinct BackupItemUniqueId, BackupItemFriendlyName\r\n)\r\non BackupItemUniqueId\r\nAll successful SQL log backup jobs\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 5 of 9\n\nAddonAzureBackupJobs\r\n| where JobOperation==\"Backup\" and JobOperationSubType==\"Log\"\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where JobStatus==\"Completed\"\r\n| join kind=inner\r\n(\r\n CoreAzureBackup\r\n | where OperationName == \"BackupItem\"\r\n | where BackupItemType==\"SQLDataBase\" and BackupManagementType==\"AzureWorkload\"\r\n | distinct BackupItemUniqueId, BackupItemFriendlyName\r\n)\r\non BackupItemUniqueId\r\nAll successful Azure Backup agent jobs\r\nAddonAzureBackupJobs\r\n| where JobOperation==\"Backup\"\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where JobStatus==\"Completed\"\r\n| join kind=inner\r\n(\r\n CoreAzureBackup\r\n | where OperationName == \"BackupItem\"\r\n | where BackupItemType==\"FileFolder\" and BackupManagementType==\"MAB\"\r\n | distinct BackupItemUniqueId, BackupItemFriendlyName\r\n)\r\non BackupItemUniqueId\r\nBackup Storage Consumed per Backup Item\r\nCoreAzureBackup\r\n//Get all Backup Items\r\n| where OperationName == \"BackupItem\"\r\n//Get distinct Backup Items\r\n| distinct BackupItemUniqueId, BackupItemFriendlyName\r\n| join kind=leftouter\r\n(AddonAzureBackupStorage\r\n| where OperationName == \"StorageAssociation\"\r\n//Get latest record for each Backup Item\r\n| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId\r\n| project BackupItemUniqueId , StorageConsumedInMBs)\r\non BackupItemUniqueId\r\n| project BackupItemUniqueId , BackupItemFriendlyName , StorageConsumedInMBs\r\n| sort by StorageConsumedInMBs desc\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 6 of 9\n\nAll successful Azure PostgreSQL backup jobs\r\nAddonAzureBackupJobs\r\n| where JobOperation==\"Backup\"\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n | where DatasourceType == \"Microsoft.DBforPostgreSQL/servers/databases\"\r\n| where JobStatus==\"Completed\"\r\nAll successful Azure Disk restore jobs\r\nAddonAzureBackupJobs\r\n| where JobOperation == \"Restore\"\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where DatasourceType == \"Microsoft.Compute/disks\"\r\n| where JobStatus==\"Completed\"\r\nBackup Storage Consumed per Backup Item\r\nCoreAzureBackup\r\n| where OperationName == \"BackupItem\"\r\n| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId\r\n| project BackupItemUniqueId, BackupItemFriendlyName, StorageConsumedInMBs\r\nThe diagnostic data from the vault is pumped to the Log Analytics workspace with some lag. Every event arrives\r\nat the Log Analytics workspace 20 to 30 minutes after being pushed from the Recovery Services vault. Here are\r\nfurther details about the lag:\r\nAcross all solutions, the backup service's built-in alerts are pushed as soon as they're created. So they\r\nusually appear in the Log Analytics workspace after 20 to 30 minutes.\r\nAcross all solutions, on-demand backup jobs and restore jobs are pushed as soon as they finish.\r\nFor all solutions except SQL and SAP HANA backup, scheduled backup jobs are pushed as soon as they\r\nfinish.\r\nFor SQL and SAP HANA backup, because log backups can occur every 15 minutes, information for all the\r\ncompleted scheduled backup jobs, including logs, is batched and pushed every 6 hours.\r\nAcross all solutions, other information such as the backup item, policy, recovery points, storage, and so on,\r\nis pushed at least once per day.\r\nA change in the backup configuration (such as changing policy or editing policy) triggers a push of all\r\nrelated backup information.\r\nNote\r\nThe same delay applies to other destinations for diagnostics data, such as Storage accounts and Event Hubs.\r\nCaution\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 7 of 9\n\nThe following steps apply only to Azure VM backups. You can't use these steps for solutions such as the Azure\r\nBackup agent, SQL backups within Azure, or Azure Files.\r\nYou can also use activity logs to get notification for events such as backup success. To begin, follow these steps:\r\n1. Sign in into the Azure portal.\r\n2. Open the relevant Recovery Services vault.\r\n3. In the vault's properties, open the Activity log section.\r\nTo identify the appropriate log and create an alert:\r\n1. Verify that you're receiving activity logs for successful backups by applying the filters shown in the\r\nfollowing image. Change the Timespan value as necessary to view records.\r\n2. Select the operation name to see the relevant details.\r\n3. Select New alert rule to open the Create rule page.\r\n4. Create an alert by following the steps in Create, view, and manage activity log alerts by using Azure\r\nMonitor.\r\nHere, the resource is the Recovery Services vault itself. Repeat the same steps for all of the vaults in which you\r\nwant to be notified through activity logs. The condition doesn't have a threshold, period, or frequency because this\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 8 of 9\n\nalert is based on events. As soon as the relevant activity log is generated, the alert is raised.\r\nYou can view all alerts created from activity logs and Log Analytics workspaces in Azure Monitor. Just open the\r\nAlerts pane.\r\nAlthough you can get notifications through activity logs, we highly recommend using Log Analytics rather than\r\nactivity logs for monitoring at scale. Here's why:\r\nLimited scenarios: Notifications through activity logs apply only to Azure VM backups. The notifications\r\nmust be set up for every Recovery Services vault.\r\nDefinition fit: The scheduled backup activity doesn't fit with the latest definition of activity logs. Instead, it\r\naligns with resource logs. This alignment causes unexpected effects when the data that flows through the\r\nactivity log channel changes.\r\nProblems with the activity log channel: In Recovery Services vaults, activity logs that are pumped from\r\nAzure Backup follow a new model. Unfortunately, this change affects the generation of activity logs in\r\nAzure Government, Azure Germany, and Microsoft Azure operated by 21Vianet. If users of these cloud\r\nservices create or configure any alerts from activity logs in Azure Monitor, the alerts aren't triggered. Also,\r\nin all Azure public regions, if a user collects Recovery Services activity logs into a Log Analytics\r\nworkspace, these logs don't appear.\r\nUse a Log Analytics workspace for monitoring and alerting at scale for all your workloads that are protected by\r\nAzure Backup.\r\nTo create custom queries, see Log Analytics data model.\r\nSource: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nhttps://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor"
	],
	"report_names": [
		"backup-azure-monitoring-use-azuremonitor"
	],
	"threat_actors": [],
	"ts_created_at": 1775438941,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d50e6bf7af59645c9eda5ae25ca7f28296423861.pdf",
		"text": "https://archive.orkl.eu/d50e6bf7af59645c9eda5ae25ca7f28296423861.txt",
		"img": "https://archive.orkl.eu/d50e6bf7af59645c9eda5ae25ca7f28296423861.jpg"
	}
}