Skip to main content

007: Log Analytics

Overview

In Microsoft Intune, you can enhance your monitoring and tracking capabilities by sending logs to Azure Monitor using Diagnostics Settings. Here's how it works:

  1. Audit Logs: These logs record activities that generate changes in Intune, such as creating, updating, deleting, assigning, and remote actions. You can route these logs to:

    • Azure Storage: Archive data for a set time.
    • Azure Event Hubs: Stream logs for analytics using SIEM tools like Splunk and QRadar.
    • Log Analytics: Enable rich visualizations, monitoring, and alerting¹.

  2. Operational Logs: These provide details on user and device enrollment (success or failure) and noncompliant devices. Similar to audit logs, you can route them to the same services¹.

How to Set It Up:

  • Sign in to the Azure portal.
  • Navigate to Log Analytics workspaces.
  • Select the workspace containing Intune diagnostics.
  • Under General, choose Logs.
  • Look for the Intune-related logs: IntuneAuditLogs and IntuneOperationalLogs².

Remember, once you enable this feature, your logs are routed to the Azure Monitor service you choose.

Reference

https://learn.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor