Azure Storage and Log Analytics

Santanu GhoshSantanu Ghosh
3 min read

Table of contents

The Curious Case of the Disappearing File: A Journey Through Azure Storage

In the bustling world of cloud storage, files come and go, often without much fanfare. But what happens when a crucial file suddenly vanishes? This is the story of one such mysterious disappearance and the steps taken to uncover the truth.

The Issue: The Vanishing Act

It was a typical day for me working as data engineer at tech company. As part of my daily routine, I was reviewing the storage accounts in Azure when I noticed something alarming. A critical folder, essential for the data analytics operation, was missing. Panic set in as I realized the file had vanished without a trace.

The Investigation Begins

Determined to solve the mystery, I began the investigation. I knew that Azure Storage had robust logging capabilities, so I decided to enable Log Analytics. This would allow me to track and analyze the activities within the storage account.

Enabling Log Analytics

I navigated to the Azure portal and enabled Azure Monitor Log Analytics for the storage account. This feature would collect and store logs of all operations performed on the storage account, providing a detailed trail of activities.

Step1: Go to Diagnostic settings(Classic) and Enable Logging and Click on Save

Step2: Go to Diagnostic Settings > click on blob > add diagnostic settings > select delete and send to log analytics

The Power of KQL

With Log Analytics enabled, I turned to Kusto Query Language (KQL) to sift through the logs. KQL is a powerful query language used to extract and analyze data from Azure Monitor logs. I crafted a query to search for any delete operations performed on the storage account.

StorageBlobLogs

| where OperationName like "Delete"

| where TimeGenerated > ago(1d)

| project TimeGenerated, AccountName, OperationName, AuthenticationType, Uri

This query would return a list of all blob deletions that occurred in the past day, along with the time, account name, operation name, blob name, and the IP address of the client that performed the deletion.

Go to Logs to access the logs using KQL:

The Revelation

As I ran the query, the results began to populate. There it was—a record of the deleted directory(folder). The logs showed that the folder had been deleted by a lifecycle management policy (through AuthenticationType). Azure Storage Lifecycle Management is a feature that allows users to manage the lifecycle of their data by automatically transitioning or deleting blobs based on specified rules.

The Resolution

With the cause of the deletion identified, I knew what needed to be done. I reviewed the lifecycle management policies and adjusted them to ensure that critical folders were not inadvertently deleted in the future. Additionally, I restored the deleted folder, ensuring that the folders are available for the data analytics operation.

Lessons Learned

This experience taught me several valuable lessons:

  1. Enable Logging: Always enable logging and monitoring for critical resources. It provides a detailed trail of activities that can be invaluable in troubleshooting issues.

  2. Understand Policies: Be aware of and regularly review lifecycle management policies to prevent unintended deletions.

  3. Use Powerful Tools: Leverage tools like KQL to analyze logs and gain insights into the operations performed on your resources.

In the end, the mystery of the disappearing folders was solved, and I emerged wiser and more prepared for future challenges. The world of cloud storage is vast and complex, but with the right tools and knowledge, even the most perplexing issues can be unraveled.

1
Subscribe to my newsletter

Read articles from Santanu Ghosh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

file deletedfolder deletedLifecycle Managementazure-storageAzure Log AnalyticsKQL

Written by

Santanu Ghosh
Santanu Ghosh