# Set up Log Analytics

You will need to set up the Notebook to use the KqlMagic package to connect to LogAnalytics. I click on the Add Packages button top right and search and install or you can

In [None]:
import sys
!{sys.executable} -m pip install Kqlmagic --no-cache-dir --upgrade

and check it is installed

In [None]:
import sys
!{sys.executable} -m pip list

Then set the extension to open the web browser

In [1]:
%config Kqlmagic.popup_interaction='webbrowser_open_at_kernel'

Then load the extension into the Notebook

In [1]:
%reload_ext Kqlmagic

You can find help

In [None]:
%kql --help "help" -popup_window

In [None]:
%kql --help "LogAnalytics"

## Make a connection to Log Analytics

You will need your

- tenantid 
- clientid of the App with permissions 
- Client secret for above 
- Log Analytics WorkSpace ID
- Alias for the  log Analytics

or you can use

`%kql loganalytics://tenant='<tenantid>';clientid='<clientid>';clientsecret='<clientsecret>';workspace='<workspaceid>';alias='<alias>'`

or you can follow [Julie Koesmarno](https://twitter.com/MsSQLGirl) example from [here](https://github.com/MsSQLGirl/jubilant-data-wizards/blob/main/Simple%20Demo/Parameterization/SQLDBLog/AzureSQLLogsAndMetricsWithLogAnalytics.ipynb) and log in from the browser with 

`
%kql loganalytics://code;workspace=workspaceID;alias="myMonLog"  -try-azcli-login-by-profile`

In [2]:
# Initialize variables

workspaceID = ''
tenant = ''
clientid = ''
clientsecret = ''
alias = ''

In [3]:
if (workspaceID == ''):
    workspaceID = input("Enter Log Analytics Workspace ID (guid)")
    #print(workspaceID)
    print("workspaceID is set")
if (tenant == ''):
    tenant = input("Enter tenant")
    #print(tenant)
    print("tenant is set")
if (clientid == ''):
    clientid = input("Enter clientid (guid)")
    #print(clientid)
    print("clientid is set")
if (clientsecret == ''):
    clientsecret = input("Enter clientsecret ")
    #print(clientsecret)
    print("clientsecret is set")
if (alias == ''):
    alias = input("Enter alias ")
    #print(alias)
    print("alias is set")

workspaceID is set


tenant is set


clientid is set


clientsecret is set


In [4]:
%kql loganalytics://tenant=tenant;clientid=clientid;clientsecret=clientsecret;workspace=workspaceID;alias=alias

## Query the logs

Now you can run Kusto Queries against the logs

### Show me Failed Logins



In [5]:
%kql sqlManagedInstances_logs_CL | where Message startswith "Logon       Login "| sort by es_process_timestamp_t desc |project node=kubernetes_node_name_s,namespace=kubernetes_namespace_s,pod=kubernetes_pod_name_s,container=kubernetes_container_name_s,["message time"]=es_process_timestamp_t,Message

Unnamed: 0,node,namespace,pod,container,message time,Message
0,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:05:05+00:00,Logon Login failed for user 'TryingToSte...
1,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:05:01+00:00,Logon Login failed for user 'TryingToSte...
2,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:04:58+00:00,Logon Login failed for user 'TryingToSte...
3,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:04:56+00:00,Logon Login failed for user 'TryingToSte...
4,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 07:55:21+00:00,Logon Login failed for user 'system'. Re...
5,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 07:55:17+00:00,Logon Login failed for user '##monitorin...
6,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 07:55:15+00:00,Logon Login failed for user 'sa'. Reason...
7,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 07:55:15+00:00,Logon Login failed for user '##miaa-agen...
8,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-28 13:00:09+00:00,Logon Login failed for user 'TryingToSte...
9,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-28 12:00:09+00:00,Logon Login failed for user 'TryingToSte...


### Show me Backups

In [6]:
%kql sqlManagedInstances_logs_CL | where Message startswith "Backup"| sort by es_process_timestamp_t desc |project node=kubernetes_node_name_s,namespace=kubernetes_namespace_s,pod=kubernetes_pod_name_s,container=kubernetes_container_name_s,["message time"]=es_process_timestamp_t,Message

Unnamed: 0,node,namespace,pod,container,message time,Message
0,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:50:09+00:00,Backup Log was backed up. Database: BenBe...
1,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:44:41+00:00,Backup Log was backed up. Database: BenBe...
2,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:39:09+00:00,Backup Log was backed up. Database: BenBe...
3,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:33:41+00:00,Backup Log was backed up. Database: BenBe...
4,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:28:09+00:00,Backup Log was backed up. Database: BenBe...
5,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:22:41+00:00,Backup Log was backed up. Database: BenBe...
6,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:17:09+00:00,Backup Log was backed up. Database: BenBe...
7,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:11:41+00:00,Backup Log was backed up. Database: BenBe...
8,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:06:09+00:00,Backup Log was backed up. Database: BenBe...
9,singlebeard,arc,hyperben-0,arc-sqlmi,2021-07-29 08:00:41+00:00,Backup BACKUP DATABASE WITH DIFFERENTIAL ...


### Show Me

In [7]:
%kql sqlManagedInstances_logs_CL | where Message startswith "Logon       Login "| sort by es_process_timestamp_t desc | summarize NoOfFailedLogins=count() by Hour=bin(es_process_timestamp_t,1h) | render columnchart 