System Logs & Audit Trails
This guide covers accessing and analyzing logs in FoundationaLLM deployments.
Overview
FoundationaLLM centralizes logs in Azure Log Analytics Workspace, providing:
- Unified view of all platform components
- Correlation across services
- Advanced query capabilities
- Integration with Azure Monitor
Log Types
| Log Type | Source | Purpose |
|---|---|---|
| Application Logs | Container apps/pods | Application errors, info, debug |
| Security Logs | Entra ID, Key Vault | Authentication, authorization |
| System Logs | AKS, ACA infrastructure | Platform health, scaling |
| Audit Logs | Key Vault, Cosmos DB | Resource access tracking |
Log Location
Standard Deployment
All logs flow to the Log Analytics Workspace created during deployment:
- Located in the Operations (
ops) resource group - Named:
log-{project}-{env}-{region}
Quick Start Deployment
Logs are available in:
- Container Apps environment logs
- Log Analytics Workspace
Accessing Logs
Azure Portal
- Navigate to Log Analytics workspace
- Select Logs in the left menu
- Use Kusto Query Language (KQL) to query
Azure CLI
# Query logs
az monitor log-analytics query \
--workspace <workspace-id> \
--analytics-query "ContainerAppConsoleLogs | take 100"
Common Queries
Application Errors
// Last 24 hours of errors across all services
ContainerAppConsoleLogs
| where TimeGenerated > ago(24h)
| where Log contains "error" or Log contains "Error" or Log contains "ERROR"
| project TimeGenerated, ContainerAppName, Log
| order by TimeGenerated desc
Specific Service Logs
// Core API logs
ContainerAppConsoleLogs
| where ContainerAppName contains "core-api"
| where TimeGenerated > ago(1h)
| project TimeGenerated, Log
| order by TimeGenerated desc
Authentication Failures
// Failed authentication attempts
AADSignInLogs
| where TimeGenerated > ago(7d)
| where ResultType != 0
| project TimeGenerated, UserPrincipalName, ResultType, ResultDescription
| order by TimeGenerated desc
Key Vault Access
// Key Vault operations
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where TimeGenerated > ago(24h)
| project TimeGenerated, OperationName, ResultType, CallerIPAddress
| order by TimeGenerated desc
Request Performance
// API request duration
AppRequests
| where TimeGenerated > ago(1h)
| summarize avg(DurationMs), percentile(DurationMs, 95), count() by Name
| order by avg_DurationMs desc
Container Restarts
// Container restart events
ContainerAppSystemLogs
| where TimeGenerated > ago(24h)
| where Reason == "Restarted" or Reason == "BackOff"
| project TimeGenerated, ContainerAppName, Reason, Log
| order by TimeGenerated desc
Setting Up Alerts
Create Alert Rule
- Navigate to Monitor > Alerts
- Click + Create > Alert rule
- Select your Log Analytics workspace
- Configure condition (e.g., error count > threshold)
- Configure action group (email, webhook, etc.)
- Create rule
Example: Error Spike Alert
// Alert condition query
ContainerAppConsoleLogs
| where TimeGenerated > ago(5m)
| where Log contains "error" or Log contains "ERROR"
| summarize ErrorCount = count() by bin(TimeGenerated, 5m)
| where ErrorCount > 10
Log Retention
Default Settings
| Log Type | Default Retention |
|---|---|
| Application Logs | 30 days |
| Security Logs | 90 days |
| System Logs | 30 days |
Changing Retention
Via Azure Portal:
- Navigate to Log Analytics workspace
- Select Usage and estimated costs
- Select Data Retention
- Adjust retention period
Via Azure CLI:
az monitor log-analytics workspace update \
--resource-group <resource-group> \
--workspace-name <workspace-name> \
--retention-time 90
Long-Term Archival
For retention beyond 730 days:
Export to Storage Account
- Navigate to Log Analytics workspace
- Select Export under Settings
- Configure export to Storage Account
- Select tables and destination
Archive to Data Lake
Configure continuous export:
az monitor log-analytics workspace data-export create \
--resource-group <resource-group> \
--workspace-name <workspace-name> \
--name "archive-export" \
--destination <storage-account-resource-id> \
--enable true \
--tables ContainerAppConsoleLogs
Access Control
Required Permissions
| Role | Access |
|---|---|
| Log Analytics Reader | Read logs, run queries |
| Log Analytics Contributor | Read/write, manage queries |
| Monitoring Contributor | Full access to monitoring |
Restrict Access
Use Azure RBAC to limit log access:
az role assignment create \
--assignee <user-or-group-id> \
--role "Log Analytics Reader" \
--scope <workspace-resource-id>
Integration with Azure Monitor
Application Insights
FoundationaLLM APIs integrate with Application Insights for:
- Request tracing
- Dependency tracking
- Performance metrics
- Custom telemetry
Dashboards
Create custom dashboards:
- Navigate to Dashboard in Azure Portal
- Click + Add tile
- Select Logs and add your query
- Configure visualization
Workbooks
Use Azure Monitor Workbooks for interactive reports:
- Navigate to Monitor > Workbooks
- Create or use existing templates
- Add queries and visualizations
Azure Sentinel Integration
For advanced security monitoring:
- Enable Azure Sentinel on the Log Analytics workspace
- Configure data connectors for Entra ID, Key Vault
- Create analytics rules for threat detection
- Set up playbooks for automated response
Note: Azure Sentinel is not configured by default in Standard deployment.
Best Practices
| Practice | Description |
|---|---|
| Centralize | Send all logs to single workspace |
| Retain | Set appropriate retention policies |
| Alert | Configure alerts for critical issues |
| Review | Regularly review security logs |
| Archive | Export for long-term compliance |