Here are the steps and explanations for configuring VNET1 to log all events and metrics and query them by using KQL:

To enable logging for VNET1, you need to create a diagnostic setting that collects the platform metrics and logs from the virtual network and routes them to one or more destinations.  You can choose to send the data to a Log Analytics workspace, a storage account, an event hub, or a partner solution 1 .

To create a diagnostic setting, you need to go to the Azure portal and select your virtual network.  Then select Diagnostic settings under Monitoring and select + Add diagnostic s etting 1 .

On the Add diagnostic setting page, enter or select the following information:

Diagnostic setting name: Type a unique name for your diagnostic setting.

Destination details: Select the destination where you want to send the data. For example, you can select Send to Log Analytics workspace and choose your workspace from the list.

Log: Select the categories of logs that you want to collect.  For VNET1, you can select NetworkSecurityGro up Event and NetworkSecurityGroupRuleCounter as the log categories 2 .

Metric: Select AllMetrics to collect all the platform m etrics for VNET1 2 .

Select Save to create your diagnostic se tting 1 .

To query the events and metrics from the Azure portal by using KQL, you need to go to the Log Analytics workspace that you selected as the destination.  Then select Logs under Gener al and enter your KQ L query in the query editor 3 .

For example, you can use the following KQL query to get the top 10 network security group events for VNET1 in the last 24 hours:

NetworkSecurityGr oupEvent

| where TimeGenerated > ago(24h)

| where ResourceId contains " VNET1 "

| summarize count() by EventID

| top 10 by count_

Copy

Select Run to execute your query and view the re sults in a tabl e or a chart 3 .