Diagnostic settings in Azure are used to collect resource logs. An Azure resource emits resource logs and provides rich, frequent data about the operation of that resource. These logs are captured per request and are also referred to as "data plane logs". See diagnostic settings in Azure Monitor for a recommended overview of the functionality in Azure. The content of these logs varies by resource type. In Azure Cache for Redis, two options are available to log:
- Cache Metrics (that is "AllMetrics") used to log metrics from Azure Monitor
- Connection Logs logs connections to the cache for security and diagnostic purposes.
Scope of availability
Tier |
Basic, Standard, and Premium |
Cache Metrics |
Yes |
Connection Logs |
Yes |
Cache Metrics
Azure Cache for Redis emits many metrics such as Server Load and Connections per Second that are useful to log. Selecting the AllMetrics option allows these and other cache metrics to be logged. You can configure how long the metrics are retained. See here for an example of exporting cache metrics to a storage account.
Connection Logs
Azure Cache for Redis uses Azure diagnostic settings to log information on client connections to your cache. Logging and analyzing this diagnostic setting helps you understand who is connecting to your caches and the timestamp of those connections. The log data could be used to identify the scope of a security breach and for security auditing purposes.
Differences Between Azure Cache for Redis Tiers
Implementation of connection logs is slightly different between tiers:
- Basic, Standard, and Premium-tier caches polls client connections by IP address, including the number of connections originating from each unique IP address. These logs aren't cumulative. They represent point-in-time snapshots taken at 10-second intervals. Authentication events (successful and failed) and disconnection events aren't logged in these tiers.
The connection logs produced look similar among the tiers, but have some differences. The two formats are shown in more detail later in the article.
Important
The connection logging in the Basic, Standard, and Premium tiers polls the current client connections in the cache. The same client IP addresses appears over and over again.
Prerequisites/Limitations of Connection Logging
Basic, Standard, and Premium tiers
- Because connection logs in these tiers consist of point-in-time snapshots taken every 10 seconds, connections that are established and removed in-between 10-second intervals aren't logged.
- Authentication events aren't logged.
- All diagnostic settings may take up to 90 minutes to start flowing to your selected destination.
- Enabling connection logs can cause a small performance degradation to the cache instance.
- Only the Analytics Logs pricing plan is supported when streaming logs to Azure Log Analytics. For more information, see Azure Monitor pricing.
Note
It is always possible to use the INFO or CLIENT LIST commands to check who is connected to a cache instance on-demand.
Important
When selecting logs, you can chose either the specific Category or Category groups, which are predefined groupings of logs across Azure services. When you use Category groups, you can no longer configure the retention settings. If you need to determine retention duration for your connection logs, select the item in the Categories section instead.
Log Destinations
You can turn on diagnostic settings for Azure Cache for Redis instances and send resource logs to the following destinations:
- Log Analytics workspace - doesn't need to be in the same region as the resource being monitored.
- Storage account - must be in the same region as the cache. Premium storage accounts are not supported as a destination, however.
- Event hub - diagnostic settings can't access event hub resources when virtual networks are enabled. Enable the Allow trusted Microsoft services to bypass this firewall? setting in event hubs to grant access to your event hub resources. The event hub must be in the same region as the cache.
For more information on diagnostic requirements, see diagnostic settings.
You're charged normal data rates for storage account and event hub usage when you send diagnostic logs to either destination. You're billed under Azure Monitor not Azure Cache for Redis. When sending logs to Log Analytics, you're only charged for Log Analytics data ingestion.
For more pricing information, Azure Monitor pricing.
Enable connection logging using the Azure portal
Sign in to the Azure portal.
Navigate to your Azure Cache for Redis account. Open the Diagnostic settings pane under the Monitoring section on the left. Then, select Add diagnostic setting.
In the Diagnostic settings pane, select ConnectedClientList from Categories.
For more detail on the data logged, see below Contents of the Connection Logs.
Once you select ConnectedClientList, send your logs to your preferred destination. Select the information in the working pane.
Enable connection logging using the REST API
Use the Azure Monitor REST API for creating a diagnostic setting via the interactive console. For more information, see Create or update.
Request
PUT https://management.chinacloudapi.cn/{resourceUri}/providers/Microsoft.Insights/diagnosticSettings/{name}?api-version=2017-05-01-preview
Parameters/Headers |
Value/Description |
name |
The name of your diagnostic setting. |
resourceUri |
subscriptions/{SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.Cache/Redis/{CACHE_NAME} |
api-version |
2017-05-01-preview |
Content-Type |
application/json |
Body
{
"properties": {
"storageAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/apptest/providers/Microsoft.Storage/storageAccounts/appteststorage1",
"eventHubAuthorizationRuleId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/montest/providers/microsoft.eventhub/namespaces/mynamespace/eventhubs/myeventhub/authorizationrules/myrule",
"eventHubName": "myeventhub",
"workspaceId": "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/myworkspace",
"logs": [
{
"category": "ConnectedClientList",
"enabled": true,
"retentionPolicy": {
"enabled": false,
"days": 0
}
}
]
}
}
Enable Connection Logging using Azure CLI
Use the az monitor diagnostic-settings create
command to create a diagnostic setting with the Azure CLI. For more for information on command and parameter descriptions, see Create diagnostic settings to send platform logs and metrics to different destinations. This example shows how to use the Azure CLI to stream data to four different endpoints:
az monitor diagnostic-settings create
--resource /subscriptions/{subscriptionID}/resourceGroups/{resourceGroupname}/providers/Microsoft.Cache/Redis/{cacheName}
--name {logName}
--logs '[{"category": "ConnectedClientList","enabled": true,"retentionPolicy": {"enabled": false,"days": 0}}]'
--event-hub {eventHubName}
--event-hub-rule /subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/microsoft.eventhub/namespaces/{eventHubNamespace}/authorizationrule/{ruleName}
--storage-account /subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}
--workspace /subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{logAnalyticsWorkspaceName}
--marketplace-partner-id/subscriptions/{subscriptionID}/resourceGroups{resourceGroupname}/providers/Microsoft.Datadog/monitors/mydatadog
Contents of the Connection Logs
These fields and properties appear in the ConnectedClientList
log category. In Azure Monitor, logs are collected in the ACRConnectedClientList
table under the resource provider name of MICROSOFT.CACHE
.
Azure Storage field or property |
Azure Monitor Logs property |
Description |
time |
TimeGenerated |
The timestamp of when the log was generated in UTC. |
location |
Location |
The location (region) the Azure Cache for Redis instance was accessed in. |
category |
n/a |
Available log categories: ConnectedClientList . |
resourceId |
_ResourceId |
The Azure Cache for Redis resource for which logs are enabled. |
operationName |
OperationName |
The Redis operation associated with the log record. |
properties |
n/a |
The contents of this field are described in the rows that follow. |
tenant |
CacheName |
The name of the Azure Cache for Redis instance. |
roleInstance |
RoleInstance |
The role instance that logged the client list. |
connectedClients.ip |
ClientIp |
The Redis client IP address. |
connectedClients.privateLinkIpv6 |
PrivateLinkIpv6 |
The Redis client private link IPv6 address (if applicable). |
connectedClients.count |
ClientCount |
The number of Redis client connections from the associated IP address. |
Sample storage account log
If you send your logs to a storage account, the contents of the logs look like this.
{
"time": "2021-08-05T21:04:58.0466086Z",
"location": "canadacentral",
"category": "ConnectedClientList",
"properties": {
"tenant": "mycache",
"connectedClients": [
{
"ip": "192.123.43.36",
"count": 86
},
{
"ip": "10.1.1.4",
"privateLinkIpv6": "fd40:8913:31:6810:6c31:200:a01:104",
"count": 1
}
],
"roleInstance": "1"
},
"resourceId": "/SUBSCRIPTIONS/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/RESOURCEGROUPS/AZURE-CACHE/PROVIDERS/MICROSOFT.CACHE/REDIS/MYCACHE",
"Level": 4,
"operationName": "Microsoft.Cache/ClientList"
}
Next steps
For detailed information about how to create a diagnostic setting by using the Azure portal, CLI, or PowerShell, see create diagnostic setting to collect platform logs and metrics in Azure article.