# Azure Log Analytics Workspace MCP for AI Agents MCP > Azure Log Analytics Workspace MCP provides secure, scoped access to a single Azure Log Analytics table. It lets your AI client execute complex KQL queries directly against critical system logs. This is perfect for debugging applications or analyzing performance spikes without needing global permissions. ## Overview - **Category:** industry-titans - **Price:** Free - **Tags:** kql, log-querying, cloud-monitoring, telemetry, troubleshooting, scoped-access ## Description Debugging production issues often means digging through massive amounts of log data. Normally, this requires jumping between dashboards and running multiple manual searches—a process that's slow and prone to missing key details. This MCP changes that by giving your AI agent one surgical capability: the ability to run Kusto Query Language (KQL) queries on a single, designated Log Analytics table. Critically, it doesn't grant global access; its scope is tightly contained. This safety feature means you can safely troubleshoot application errors or analyze traffic patterns without risking exposure to sensitive audit trails across your entire Azure environment. You simply provide the necessary KQL operations—for example, filtering by a time range or specific error codes—and your agent handles the rest. It's a secure way to get deep observability right where you need it. ## Tools ### query_logs Runs a KQL query against the configured Log Analytics table using only the operations you specify. ## Prompt Examples **Prompt:** ``` What were the top 5 error codes that occurred in the last two hours? ``` **Response:** ``` **Top 5 Error Codes (Last 2 Hours)** | Code | Count | | :--- | :---: | | AUTH_FAIL_401 | 45 | | DB_TIMEOUT_503 | 18 | | RESOURCE_LIMIT | 9 | | INPUT_VALIDATION | 7 | | NETWORK_DROP | 6 | *Query used: `| where TimeGenerated > ago(2h) and SeverityLevel == 'Error' | summarize count() by Code | top 5 by count_` ``` **Prompt:** ``` Show me all requests from a specific user ID that failed with a timeout error. ``` **Response:** ``` **Timeout Errors for User U-901** * Total failures found: 3 * Time Window: 2024-06-15 10:00 to 10:05 UTC | Timestamp | Request ID | Status Code | | :--- | :--- | :--- | | 10:01:15 | req-a7d3 | 503 | | 10:02:40 | req-b9e1 | 503 | | 10:04:55 | req-c2f8 | 503 | ``` **Prompt:** ``` Find out how many times the 'admin' user was active in the last day. ``` **Response:** ``` **User Activity Summary (Admin)** * **Total Records:** 1,420 logs. * **Key Metrics:** * Successful logins: 1,395 * Failed attempts: 25 * Most common action: Data retrieval via API call. This suggests the user is highly active but had a few minor authentication hiccups. ``` ## Capabilities ### Execute Kusto Query Language (KQL) queries The AI client runs complex, filtered searches against the designated Log Analytics table. ### Filter log data by time or severity You can narrow down results to specific time windows or only show records flagged with errors. ### Extract structured insights from raw logs The agent parses complex JSON payloads within the logs to pull out specific data points, like user IDs or request statuses. ## Use Cases ### Debugging a User Authentication Failure A user reports they couldn't log in this morning. Instead of checking ten different services, your agent runs a query targeting failed login attempts over the last 4 hours and pulls out the specific error code and associated user ID. ### Investigating Traffic Spikes The application suddenly slowed down yesterday afternoon. Your agent queries logs to compare traffic volume (requests per second) during the slow period versus a normal baseline, pinpointing the exact time of degradation. ### Auditing Specific Resource Activity You need to know who accessed a specific database resource on Monday. Your agent queries logs for entries containing that unique resource ID and filters by user role, giving you a clean list of access attempts. ## Benefits - Pinpoint the exact moment an issue started. Instead of sifting through terabytes of data, you run a precise query to find only relevant error logs. - Eliminate permission creep risks. Because this MCP is locked down to a single table, your agent can debug without ever touching sensitive global audit records. - Speed up incident response. Your AI client executes complex KQL syntax—like joining time filters with severity levels—in seconds, giving you instant context. - Go beyond simple text searches. The tool supports parsing JSON payloads, letting the AI extract metrics like specific request IDs or user session details. - Use structured query language (KQL) directly through natural conversation. No more learning complicated command-line syntax just to check logs. ## How It Works The bottom line is, you talk naturally about the data you need, and the system handles the complex querying process. 1. You ask your AI client a question about system performance (e.g., 'Show me all 500 errors from the last hour'). 2. Your agent translates that request into specific KQL operations and sends them to this MCP. 3. The MCP executes the query against the single authorized log table and returns the filtered, structured results to your AI client for interpretation. ## Frequently Asked Questions **How do I use the Azure Log Analytics Workspace MCP for debugging?** You simply ask your agent what you're looking for—for instance, 'Show me all network connection failures from yesterday.' The MCP handles the complex KQL query and returns a clean table of results. **Does this MCP work with different types of logs?** It works on structured log data within one specific Azure Log Analytics table. You need to know roughly what kind of data is in that table (e.g., application events, security records) to ask the right question. **Is this safe for my production environment?** Yes, safety was the main design focus. The MCP only allows querying a single, specified log table, which means your agent can't accidentally access sensitive logs elsewhere in Azure.