Technical Lab: Configure log settings in Azure Monitor
Questionsβ
Question 1 β Multiple Choiceβ
An administrator needs to ensure that diagnostic logs from an Azure Key Vault are sent simultaneously to both a Log Analytics Workspace and a Storage Account, with 90-day retention in the Storage Account. Which statement correctly describes the expected behavior when configuring the Diagnostic Setting?
A) Two separate Diagnostic Settings are required, as each destination requires an independent configuration.
B) A single Diagnostic Setting can send logs to multiple destinations simultaneously, including Log Analytics Workspace, Storage Account, and Event Hub.
C) The 90-day retention is configured within the Log Analytics Workspace and automatically applies to the linked Storage Account.
D) Sending to Storage Account requires the Log Analytics Workspace to be in the same region as the Key Vault.
Question 2 β Technical Scenarioβ
An administrator configures the following Diagnostic Setting for a virtual machine:
{
"logs": [
{ "category": "Administrative", "enabled": true },
{ "category": "Security", "enabled": false }
],
"metrics": [
{ "category": "AllMetrics", "enabled": true, "retentionPolicy": { "days": 30 } }
],
"storageAccountId": "/subscriptions/.../storageAccounts/myaccount"
}
After 45 days, the administrator notices that logs from the Security category are missing, but were expected for an internal audit. What is the direct cause of the problem?
A) The Storage Account does not support Security category logs for virtual machines.
B) The Security category is explicitly disabled in the configured Diagnostic Setting.
C) The 30-day retention period automatically deleted the Security logs before the audit.
D) Security logs require an Event Hub as a mandatory destination and cannot be sent to a Storage Account.
Question 3 β True or Falseβ
When configuring a Diagnostic Setting on an Azure resource, it is possible to enable individual log categories selectively, but all enabled metrics must share the same retention policy defined at the Diagnostic Setting level.
Question 4 β Technical Scenarioβ
An operations team needs to correlate performance data from multiple resources (VMs, App Services, and SQL Databases) in a single dashboard in Azure Monitor. The resources are distributed across three different resource groups. The analyst proposes creating one Diagnostic Setting per resource pointing to the same Log Analytics Workspace. A colleague suggests it would be more efficient to use a single Diagnostic Setting at the Subscription level. Which approach is technically correct for achieving the objective?
A) Both approaches are equivalent; the choice depends only on administrative preference.
B) The Diagnostic Setting at the Subscription level captures only activity logs (Activity Log), not diagnostic logs from individual resources; therefore, the per-resource approach is correct for performance data.
C) The Diagnostic Setting at the Subscription level automatically propagates configurations to all child resources, including performance metrics.
D) Performance logs from VMs cannot be sent to Log Analytics Workspace; they require Azure Monitor Agent with Data Collection Rules.
Question 5 β Multiple Choiceβ
An administrator needs to configure log retention in the Log Analytics Workspace for 180 days, but the portal displays the minimum configurable value as 30 days and the maximum as 730 days. After setting 180 days in the Workspace, they notice that queries for data older than 90 days return empty results. What is the most likely explanation?
A) The Log Analytics Workspace has an operational limit of 90 days regardless of the configured retention.
B) The logs were sent to a Storage Account with a 90-day retention policy, and the Workspace is querying the Storage Account as the primary source.
C) The retention configured in the Workspace applies only to new data ingested after the change; previous data follows the policy in effect at the time of ingestion.
D) The Workspace pricing tier (SKU) may be limiting the effective retention to 90 days, overriding the manual configuration of 180 days.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
A single Diagnostic Setting natively supports multiple simultaneous destinations: Log Analytics Workspace, Storage Account, and Event Hub. There is no need to create separate configurations per destination.
- Alternative A represents a common misconception: administrators migrating from legacy tools often assume that each destination requires independent configuration, which does not apply to Azure Monitor.
- Alternative C confuses the scope of retention policy: Storage Account retention is configured directly in the Diagnostic Setting (
retentionPolicyfield within the Storage destination block), not inherited from the Workspace. - Alternative D is a plausible distractor, but the geographical location of resources is not a requirement for linking diagnostic destinations; data residency restrictions for compliance are handled separately.
Answer Key β Question 2β
Answer: B
The presented JSON block explicitly defines "enabled": false for the Security category. This means that since the creation of the Diagnostic Setting, no logs from this category have been collected or sent to the configured destination.
- Alternative C is the most dangerous distractor: the 30-day retention period affects data already collected, but since Security was never enabled, there is no data to expire. Confusing absence of collection with retention expiration is a serious operational error in audits.
- Alternative A is false: Storage Accounts support Security logs for VMs.
- Alternative D is false: Event Hub is not a mandatory destination for any specific log category; it is a destination option like any other.
Answer Key β Question 3β
Answer: False
The statement is false. In Azure Monitor, it is possible to configure individual retention policies per metric category within the same Diagnostic Setting, especially when the destination is a Storage Account. Each entry in the metrics array can have its own retentionPolicy block with distinct day values.
The non-obvious point here is that granular retention per category applies to the Storage Account destination. For Log Analytics Workspace, retention is managed at the Workspace level or per table (Table-level retention), not within the Diagnostic Setting itself. Therefore, the statement that there is a single, mandatory retention policy shared by all metrics is incorrect in terms of Diagnostic Setting architecture.
Answer Key β Question 4β
Answer: B
The Diagnostic Setting at the Subscription level is designed exclusively to capture the Activity Log (subscription control and management events), not diagnostic logs or performance metrics from individual resources. To collect performance data from VMs, App Services, and SQL Databases, it is necessary to configure a Diagnostic Setting on each resource individually.
- Alternative A is wrong because the approaches are not equivalent: they produce fundamentally different datasets.
- Alternative C describes behavior that does not exist in current Azure Monitor; there is no automatic propagation of Diagnostic Settings from Subscription to child resources.
- Alternative D is partially true (Azure Monitor Agent with DCR is the recommended approach for advanced OS metrics collection on VMs), but it does not invalidate the possibility of sending VM platform metrics via Diagnostic Settings to Log Analytics Workspace. As a distractor, it exploits correct knowledge in an incorrect context.
Answer Key β Question 5β
Answer: D
The SKU (pricing tier) of the Log Analytics Workspace determines the effective retention ceiling. Workspaces on the Free plan have retention limited to 7 days, regardless of the configured value. Workspaces on paid plans allow up to 730 days. If the Workspace is on a SKU that limits retention to 90 days, configuring 180 days in the retention field will have no practical effect beyond that limit.
- Alternative A is false: there is no fixed operational limit of 90 days for Workspaces on paid plans.
- Alternative B describes architecturally incorrect behavior: the Log Analytics Workspace does not query Storage Account as a data source for its KQL queries.
- Alternative C describes real retention behavior (changes apply to new data), but does not explain why 90-day data is absent in a Workspace configured with 180 days since before ingestion. This distractor is effective because it describes true behavior applied to the wrong scenario.