USM Anywhere automatically creates log collection jobs for Azure Monitor and security logs. It also creates jobs for Internet Information Services (IIS), Microsoft Azure SQL Server, and Microsoft Windows if it detects storage locations for these log types. When you complete the Log Collection step for the Azure Sensor, you can enable these default jobs. You can review these jobs and their history in the Scheduler, but you cannot modify the parameters of these default jobs.
Note: What an Azure log job collects depends on whether you granted contributor permissions to one of your resources or to your entire Azure subscription for the USM Anywhere application. Depending on the Azure credentials configured for the deployed Azure Sensor, the sensor could have access to individual resource groups or the whole subscription. See Create an Application and Obtain Azure Credentials for more information.
To supplement the automatic Azure log collection in USM Anywhere and to set up log collection for Azure Web Apps, add new Azure log collection jobs.
Important: Before your scheduled jobs can collect logs, you may also have to perform specific configuration steps outside of USM Anywhere in your environment. See Collect Azure Resource Logs for detailed descriptions of the configuration steps your environment might require.
To schedule a new job to collect and process Azure logs
  1. Go to Settings > Scheduler.
  2. In the left navigation menu, click Log Collection.
    Note: You can use the Sensor filter at the top of the list to review the available log collection jobs on your Azure Sensor.
  3. Click Create Log Collection Job.
    Note: If you have recently deployed a new USM Anywhere Sensor, it can take up to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the Azure log collection jobs you want before the system collects the log data.
    The Schedule New Job dialog box opens.
  4. Enter the name and description for the job. The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.
  5. Select Sensor as the source for your new job.
  6. In the Select App option, select Azure.
  7. In the App Action option, select the action for Azure log type that you want to schedule for collection.
    See Collect Azure Resource Logs to review details about the Azure log types that USM Anywhere can collect.
  8. Depending on the selected app action (log type), specify the Resource Group, Storage Account, and Container for the logs. You can obtain this information by logging into the Azure console and reviewing the configuration for your diagnostic and storage resources.
    Note: For Azure IIS logs, Azure Web Apps logs, and Azure Windows logs, you must specify a binary large object (BLOB) container used for the log storage. For the Azure SQL Server log type, you must specify the table container used for the log storage.The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more information.
  9. In the Schedule section, specify when USM Anywhere runs the job: a. Select the increment as Minute, Hour, Day, Week, Month, or Year.
    Warning: After a frequency change, monitor the system to check its performance. For example, you can check the system load and CPU. See USM Anywhere System Monitor for more information.
    b. Set the interval options for the increment. The selected increment determines the available options. For example, on a weekly increment, you can select the days of the week to run the job.
    Or on a monthly increment, you can specify a date or a day of the week that occurs within the month.
    Important: USM Anywhere restarts the schedule on the first day of the month if the option “Every x days” is selected.
    c. Set the start time. This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (the default is Coordinated Universal Time [UTC]).
  10. Click Save.