Azure Log Analytics MCP. Run KQL Queries Against Specific Logs

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

Just plug in your AI agents and start using Vinkius.

query_logs: Run KQL queries against a single, scoped Azure Log Analytics table. This tool lets your AI client safely run Kusto Query Language queries for troubleshooting, analyzing traffic, and monitoring infrastructure.

It strips away global permissions, giving your agent precise, read-only access to specific log data. It's secure observability for your AI.

What your AI agents can do

Query logs

Execute a KQL query against the configured Log Analytics table by providing the operational logic.

Filter Logs by Time Range

You narrow the search space by adding time operators, like TimeGenerated > ago(1d), limiting the scope to specific periods of activity.

Search for Specific Event Levels

The agent filters results by severity, such as running | where SeverityLevel == 'Error', to isolate critical operational failures.

Parse JSON Payloads

You extract specific values from complex log entries using KQL syntax, allowing the agent to analyze structured data within the logs.

Limit Results Count

You cap the output size using | limit 10 to prevent information overload and keep the results actionable.

Ask AI about this MCP

Ask ChatGPT

Ask Claude

Ask Perplexity

Supported MCP Clients

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

+ other MCP clients

Free for Subscribers

Waiting for input…

AI Agent

query019e386a

query logs

Execute a KQL query against the configured Log Analytics table by providing the operational logic.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with Azure Log Analytics Workspace, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 4,700+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

What you can do with this MCP connector

You're running KQL queries against a specific Azure Log Analytics table using the query_logs tool. This tool lets your AI client safely execute Kusto Query Language queries for troubleshooting, analyzing traffic, and monitoring infrastructure. It strips away global permissions, giving your agent read-only access to only the data in the designated table.

You'll get precise observability for your AI.

Your AI client can narrow the search space by adding time operators like TimeGenerated > ago(1d), limiting the scope to specific periods of activity. You can filter results by severity, running commands like | where SeverityLevel == 'Error' to isolate critical operational failures. To analyze structured data within the logs, you extract specific values from complex log entries using KQL syntax, which lets the agent parse JSON payloads.

If you don't want to get overwhelmed, you can cap the output size using | limit 10 to keep the results actionable. The query_logs tool takes the operational logic—like | where TimeGenerated > ago(1h) | limit 10—and runs it against the configured Log Analytics table; the engine handles prepending the authorized table name, keeping everything contained and safe.

How Azure Log Analytics MCP Works

1 Tell your agent what you're looking for using natural language (e.g., 'Find all errors from the last hour').
2 The agent constructs the necessary KQL operations (e.g., | where SeverityLevel == 'Error' | sort by TimeGenerated desc | limit 10).
3 The server executes the query against the single log table and returns the resulting data set.

The bottom line is that you get structured, actionable log data from a specific Azure table without needing complex permissions.

Who Is Azure Log Analytics MCP For?

The ops engineer who's tired of clicking through dashboards at 2am. The site reliability engineer who needs to correlate a user report with raw backend events. The security analyst who must prove a breach timeline. This tool gives your agent the surgical focus it needs to cut through mountains of data.

Site Reliability Engineer (SRE)

Debugging production issues by running targeted KQL queries against error and performance logs.

DevOps Engineer

Analyzing deployment failure logs or traffic spikes immediately after a service change.

Security Analyst

Tracing user activity or failed login attempts by querying specific security event tables.

What Changes When You Connect

See specific error patterns. You run targeted queries, like | where SeverityLevel == 'Error', and your agent pulls out only the critical failures. This cuts through the noise of normal operation logs.
Analyze traffic flow. You can check for sudden spikes or drops by using time-based filters (| where TimeGenerated > ago(1h)), immediately identifying performance anomalies.
Contain access scope. Because the agent is locked to one table, you don't risk global data exposure. This keeps your troubleshooting focused and secure.
Extract structured data. You don't just get raw text. You use KQL to parse JSON payloads and extract clean, usable metrics, like specific User IDs or resource names.
Accelerate debugging. Instead of manually jumping between dashboards, your agent runs the query and gives you the relevant data set, speeding up MTTR.
Focus on causality. By chaining multiple specific queries, you can build a sequence of events—from a warning to a failure—and see the full narrative.

Real-World Use Cases

Investigating a User-Reported Outage

A user reports that the checkout failed at 3 PM. The ops engineer asks their agent to 'Fetch all errors related to the checkout service between 2:50 PM and 3:10 PM.' The agent runs query_logs with a precise time window and filters for 'Error' severity, returning only the failed transaction records and the specific error codes needed to fix it.

Tracking Suspicious User Activity

A security analyst suspects an admin account was compromised. They ask their agent to 'Find all log entries for User ID 'admin' in the last 24 hours.' The agent runs query_logs to filter by the specific UserId and time range, generating a full timeline of the unauthorized activity for investigation.

Identifying Performance Degradation

The team notices slow response times. They ask their agent to 'Show me the average request size and count for the last 4 hours.' The agent uses query_logs to run a complex query that groups and aggregates the data, pinpointing when the traffic volume started increasing and causing the slowdown.

Validating a Code Deployment

A new service version was pushed. The dev team asks their agent to 'Check for any 'Warning' logs related to the 'payment' service in the last hour.' The agent runs query_logs to narrow the search to the new service and the warning level, providing a clean report that confirms the deployment was stable or highlights the exact regression.

The Tradeoffs

Querying the whole workspace

Asking the agent to 'Show me all logs for all services.' This attempts to query everything, which will fail due to global permission restrictions and overwhelm the system.

→ Always narrow the scope. Use query_logs to filter by specific event types, time ranges, and keywords. Focus the query on the single, scoped table provided by this server.

Asking for raw data dumps

Saying 'Give me all logs from last week.' This results in a massive, unreadable dump of thousands of lines, making it impossible to find the root cause.

→ Tell the agent exactly what you need. Use query_logs to combine filters: | where TimeGenerated > ago(7d) | where SeverityLevel == 'Error' | limit 50. Always define your boundaries.

Ignoring KQL syntax

Just dumping plain English queries into the agent. The agent won't know how to filter or group the data without specific KQL operators.

→ Structure your request to include the necessary KQL operators. For example, asking for 'logs where UserID is X' is better than 'show me user X logs.' The agent needs the pipes (|) and operators.

When It Fits, When It Doesn't

Use this if you need to troubleshoot, audit, or review specific historical events within a known, single data source. This tool is perfect when you know what went wrong and need to prove when and how it happened. It gives you surgical precision on a specific table.

Don't use it if you need real-time metrics (use a dedicated dashboarding tool) or if your problem requires correlating data across multiple, disparate systems (you'd need a multi-source data lake or a graph database). If you just need a high-level count or a simple status check, this tool is overkill; a simple API call is better. When in doubt, stick to a time range and a severity filter.

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Azure Log Analytics Workspace. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

How we secure it →

Works with Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This server provides 1 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.

Available Capabilities

query_logs

Manually sifting through log dashboards is a total waste of time.

Today, finding a root cause means logging into the Azure portal, clicking 'Monitor,' then opening the specific Log Analytics blade. You then have to manually build queries, adjust time ranges, and cross-reference results with dashboards for every service involved. It’s a dozen tabs, hours of clicking, and too much copy-pasting.

With this MCP server, you just talk to your agent. It runs the necessary KQL query against the single scoped table. You get a clean, filtered data set with the exact records you need, without ever leaving the chat window.

query_logs: Get the data, not the headache.

Manual debugging requires you to remember the correct KQL syntax, the table name, and the exact time ranges for every service. It's a fragile process that breaks when a single field name changes.

The agent handles the query construction and execution for you. You just describe the problem—'show me failed logins from this user'—and the system runs the query. It's done.

Common Questions About Azure Log Analytics MCP

How do I use the query_logs tool with a specific time range? +

You need to include the time filter in your request. Use KQL functions like TimeGenerated > ago(1h) to narrow the search. The agent handles the rest of the query structure.

Can the query_logs tool search across multiple tables? +

No. This server is designed to query one specific, authorized table only. This design keeps your access strictly contained and secure.

Is the query_logs tool secure for security analysis? +

Yes. The server strips away dangerous global Azure permissions, limiting the agent to one table. This gives you the data you need while maintaining absolute containment.

What kind of data can I filter using query_logs? +

You can filter by any field available in the table, such as SeverityLevel, UserId, or specific JSON payload fields, using standard KQL operators.

How does the `query_logs` tool handle complex KQL syntax, like JSON parsing? +

The tool supports full Kusto Query Language (KQL) syntax. You can use operators like parse_json() within your query to filter and extract specific fields from structured JSON payloads.

What happens if the `query_logs` tool runs a query that exceeds the rate limit? +

The system handles rate limiting automatically. If a query fails due to exceeding the limit, the agent receives an explicit error message, which you can then use to adjust your query or wait and retry.

Does the `query_logs` tool require me to specify the Azure Log Analytics table? +

No, you don't have to specify the table name. The engine automatically prepends the authorized table name to your query, keeping your access strictly scoped and safe.

Is there a limit on the number of records the `query_logs` tool can return? +

The tool allows you to limit results using the standard KQL limit operator. If you don't specify a limit, the default behavior is set by the underlying Azure API, ensuring manageable data chunks.

Why limit the agent to a single Log Table? +

To enforce zero-trust security. A Workspace often contains sensitive audit trails (like AzureActivity or SecurityEvents). By locking the agent to a specific table (e.g., 'AppExceptions'), you prevent it from reading global infrastructure access logs.

How should I format my KQL queries? +

You do NOT need to include the table name. The MCP engine automatically handles the table prefix. Just pass the KQL operators starting with a pipe. Example: | where TimeGenerated > ago(1h) | limit 50.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript