Azure Activity Logs
Â
Intro
The Activity log is a platform log in Azure that provides insight into subscription-level events.
Â
Documentation
Â
Tips and Tidbits
The Activity log is a platform log in Azure that provides insight into subscription-level events.
Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on.
They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained
This includes such information as when a resource is modified or when a virtual machine is started.
Activity log events are retained in Azure for 90 days and then deleted.
There is no charge for entries during this time regardless of volume.
Create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:
to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to 2 years)
Use Azure Log Analytics tool to edit and run log queries with data in Azure Monitor Log.
to Azure Event Hubs to forward outside of Azure
to Azure Storage for cheaper, long-term archiving
Â
The menu that you open it from determines its initial filter.
If you open it from the Monitor menu, then the only filter will be on the subscription.
If you open it from a resource's menu, then the filter will be set to that resource
Â
Â
Azure Activity Log event schema
Â
Â
Category | Description |
---|---|
Administrative | Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group. Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. Administrative events also include any changes to Azure role-based access control in a subscription. |
Service Health | Contains the record of any service health incidents that have occurred in Azure. An example of a Service Health event SQL Azure in East US is experiencing downtime. Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. These events are only created if you have a resource in the subscription that would be impacted by the event. |
Resource Health | Contains the record of any resource health events that have occurred to your Azure resources. An example of a Resource Health event is Virtual Machine health status changed to unavailable. Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated. |
Alert | Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes. |
Autoscale | Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of an Autoscale event is Autoscale scale up action failed. |
Recommendation | Contains recommendation events from Azure Advisor. |
Security | Contains the record of any alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed. |
Policy | Contains records of all effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource. |
Sending Platform Logs To Azure Monitor
Â
Create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:
to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to 2 years)
Use Azure Log Analytics tool to edit and run log queries with data in Azure Monitor Log.
First enable Diagnostics setting to send logs to Azure Monitor
Â
Select a previously created Log Analytics Workspace
Â