Azure Activity Logs

Owned by Roger Cruz, created
Last updated: Dec 21, 2021
3 min read

 

Intro

The Activity log is a platform log in Azure that provides insight into subscription-level events.

 

Documentation

 

Tips and Tidbits

  • The Activity log is a platform log in Azure that provides insight into subscription-level events.

    • Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on.

    • They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained

  • This includes such information as when a resource is modified or when a virtual machine is started.

  • Activity log events are retained in Azure for 90 days and then deleted.

    • There is no charge for entries during this time regardless of volume.

  • Create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:

    • to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to 2 years)

      • Use Azure Log Analytics tool to edit and run log queries with data in Azure Monitor Log.

    • to Azure Event Hubs to forward outside of Azure

    • to Azure Storage for cheaper, long-term archiving

 

  • The menu that you open it from determines its initial filter.

    • If you open it from the Monitor menu, then the only filter will be on the subscription.

    • If you open it from a resource's menu, then the filter will be set to that resource

 

 

Azure Activity Log event schema

 

 

Category

Description

Category

Description

Administrative

Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.

Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. Administrative events also include any changes to Azure role-based access control in a subscription.

Service Health

Contains the record of any service health incidents that have occurred in Azure. An example of a Service Health event SQL Azure in East US is experiencing downtime.

Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. These events are only created if you have a resource in the subscription that would be impacted by the event.

Resource Health

Contains the record of any resource health events that have occurred to your Azure resources. An example of a Resource Health event is Virtual Machine health status changed to unavailable.

Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.

Alert

Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.

Autoscale

Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of an Autoscale event is Autoscale scale up action failed.

Recommendation

Contains recommendation events from Azure Advisor.

Security

Contains the record of any alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.

Policy

Contains records of all effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource.

Sending Platform Logs To Azure Monitor

 

  • Create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:

    • to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to 2 years)

      • Use Azure Log Analytics tool to edit and run log queries with data in Azure Monitor Log.

      • First enable Diagnostics setting to send logs to Azure Monitor

         

  • Select a previously created Log Analytics Workspace

Â