In order to view event logs today, users generally have to rely on tools that will first upload their data to storage and then query it. With Real-Time KQL, this is no longer necessary. Event processing happens as events arrive, in real-time.
Get started right away with using Real-Time KQL or learn how it works.
| Windows | Linux | |
|---|---|---|
| OS Logs | WinLog - logs seen in EventVwr or log file(s) on disk Doc / Demo |
Syslog - the OS log Doc / Demo |
| High-Volume Tracing | Etw - Event Tracing for Windows Doc / Demo |
EBPF - dynamic interception of kernel and user mode functions Coming soon |
You can input pre-recorded Csv files to Real-Time KQL.
Check out the query writing guide for some best practices on coming up with queries for Real-Time KQL.
| Real-Time Output | File Output | Upload Output |
|---|---|---|
| consoleOutput - Results printed to standard output | jsonOutput - Each event is a JSON dictionary | adxOutput - Upload to Kusto (Azure Data Explorer) |
| webEvents - Real-Time KQL acts as real-time server for events. | csvOutput - Each event is a row in Comma Separated Value table | blobStorage - Upload as JSON objects to BlobStorage |
| htmlOutput - Each event formatted as human-readable DIV element |
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.