diff --git a/docs/source/management/logs.md b/docs/source/management/logs.md
new file mode 100644
index 0000000000..f9a9948453
--- /dev/null
+++ b/docs/source/management/logs.md
@@ -0,0 +1,31 @@
+# Monitoring logs
+
+Logs are collected for numerous parts of a Data Safe Haven.
+Some of these logs are ingested into a central location, an Azure [Log Analytics Workspace](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview), and others are stored separately.
+
+## Log workspace
+
+Each SRE has its own Log Analytics Workspace.
+You can view the workspaces by going to the Azure portal and navigating to [Log Analytics Workspaces](https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces).
+Select which log workspace you want to view by clicking on the workspace named `shm-<YOUR_SHM_NAME>-sre-<YOUR_SRE_NAME>-log`.
+
+The logs can be filtered using [Kusto Query Language (KQL)](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-query-overview).
+
+## Container logs
+
+Some of the Data Safe Haven infrastructure is provisioned as containers.
+These include,
+
+- remote desktop portal
+- package proxy
+- Gitea and Hedgedoc
+
+Logs from all containers are ingested into the [SREs log workspace](#log-workspace).
+There are two logs
+
+`ContainerEvents_CL`
+: Event logs for the container instance resources such as starting, stopping, crashes and pulling images.
+
+`ContainerInstanceLog_CL`
+: Container process logs.
+: This is where you can view the output of the containerised applications and will be useful for debugging problems.