Azure Monitor activity log

The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI. This article provides information on how to view the activity log and send it to different destinations.

For more functionality, create a diagnostic setting to send the activity log to one or more of these locations for the following reasons:

  • Send to Azure Monitor Logs for more complex querying and alerting and for longer retention, up to two years.
  • Send to Azure Event Hubs to forward outside of Azure.
  • Send to Azure Storage for cheaper, long-term archiving.

For details on how to create a diagnostic setting, see Create diagnostic settings to send platform logs and metrics to different destinations.

Note

  • Entries in the Activity Log are system generated and can't be changed or deleted.
  • Entries in the Activity Log are representing control plane changes like a virtual machine restart, any non related entries should be written into Azure Resource Logs

Retention period

Activity log events are retained in Azure for 90 days and then deleted. There's no charge for entries during this time regardless of volume. For more functionality, such as longer retention, create a diagnostic setting and route the entries to another location based on your needs. See the criteria in the preceding section.

View the activity log

You can access the activity log from most menus in the Azure portal. The menu that you open it from determines its initial filter. If you open it from the Monitor menu, the only filter is on the subscription. If you open it from a resource's menu, the filter is set to that resource. You can always change the filter to view all other entries. Select Add Filter to add more properties to the filter.

Screenshot that shows the activity log.

For a description of activity log categories, see Azure activity log event schema.

Download the activity log

Select Download as CSV to download the events in the current view.

Screenshot that shows downloading the activity log.

View change history

For some events, you can view the change history, which shows what changes happened during that event time. Select an event from the activity log you want to look at more deeply. Select the Change history (Preview) tab to view any associated changes with that event.

Screenshot that shows the Change history list for an event.

If any changes are associated with the event, you'll see a list of changes that you can select. Selecting a change opens the Change history (Preview) page. This page displays the changes to the resource. In the following example, you can see that the VM changed sizes. The page displays the VM size before the change and after the change. To learn more about change history, see Get resource changes.

Screenshot that shows the Change history page showing differences.

Other methods to retrieve activity log events

You can also access activity log events by using the following methods:

Send to Log Analytics workspace

Send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature, where you:

  • Correlate activity log data with other monitoring data collected by Azure Monitor.
  • Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.
  • Use log queries to perform complex analysis and gain deep insights on activity log entries.
  • Use log alerts with Activity entries for more complex alerting logic.
  • Store activity log entries for longer than the activity log retention period.
  • Incur no data ingestion or retention charges for activity log data stored in a Log Analytics workspace.
  • The default retention period in Log Analytics is 90 days

Select Export Activity Logs to send the activity log to a Log Analytics workspace.

Screenshot that shows exporting activity logs.

You can send the activity log from any single subscription to up to five workspaces.

Activity log data in a Log Analytics workspace is stored in a table called AzureActivity that you can retrieve with a log query in Log Analytics. The structure of this table varies depending on the category of the log entry. For a description of the table properties, see the Azure Monitor data reference.

For example, to view a count of activity log records for each category, use the following query:

AzureActivity
| summarize count() by CategoryValue

To retrieve all records in the administrative category, use the following query:

AzureActivity
| where CategoryValue == "Administrative"

Send to Azure Event Hubs

Send the activity log to Azure Event Hubs to send entries outside of Azure, for example, to a third-party SIEM or other log analytics solutions. Activity log events from event hubs are consumed in JSON format with a records element that contains the records in each payload. The schema depends on the category and is described in Azure activity log event schema.

The following sample output data is from event hubs for an activity log:

{
    "records": [
        {
            "time": "2019-01-21T22:14:26.9792776Z",
            "resourceId": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
            "operationName": "microsoft.support/supporttickets/write",
            "category": "Write",
            "resultType": "Success",
            "resultSignature": "Succeeded.Created",
            "durationMs": 2826,
            "callerIpAddress": "111.111.111.11",
            "correlationId": "c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8",
            "identity": {
                "authorization": {
                    "scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
                    "action": "microsoft.support/supporttickets/write",
                    "evidence": {
                        "role": "Subscription Admin"
                    }
                },
                "claims": {
                    "aud": "https://management.core.windows.net/",
                    "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
                    "iat": "1421876371",
                    "nbf": "1421876371",
                    "exp": "1421880271",
                    "ver": "1.0",
                    "http://schemas.microsoft.com/identity/claims/tenantid": "00000000-0000-0000-0000-000000000000",
                    "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
                    "http://schemas.microsoft.com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "admin@contoso.com",
                    "puid": "20030000801A118C",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Smith",
                    "name": "John Smith",
                    "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": " admin@contoso.com",
                    "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c",
                    "appidacr": "2",
                    "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
                    "http://schemas.microsoft.com/claims/authnclassreference": "1"
                }
            },
            "level": "Information",
            "location": "global",
            "properties": {
                "statusCode": "Created",
                "serviceRequestId": "50d5cddb-8ca0-47ad-9b80-6cde2207f97c"
            }
        }
    ]
}

Send to Azure Storage

Send the activity log to an Azure Storage account if you want to retain your log data longer than 90 days for audit, static analysis, or backup. If you're required to retain your events for 90 days or less, you don't need to set up archival to a storage account. Activity log events are retained in the Azure platform for 90 days.

When you send the activity log to Azure, a storage container is created in the storage account as soon as an event occurs. The blobs in the container use the following naming convention:

insights-activity-logs/resourceId=/SUBSCRIPTIONS/{subscription ID}/y={four-digit numeric year}/m={two-digit numeric month}/d={two-digit numeric day}/h={two-digit 24-hour clock hour}/m=00/PT1H.json

For example, a particular blob might have a name similar to:

insights-logs-networksecuritygrouprulecounter/resourceId=/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/y=2020/m=06/d=08/h=18/m=00/PT1H.json

Each PT1H.json blob contains a JSON object with events from log files that were received during the hour specified in the blob URL. During the present hour, events are appended to the PT1H.json file as they are received, regardless of when they were generated. The minute value in the URL, m=00 is always 00 as blobs are created on a per hour basis.

Each event is stored in the PT1H.json file with the following format. This format uses a common top-level schema but is otherwise unique for each category, as described in Activity log schema.

{ "time": "2020-06-12T13:07:46.766Z", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/MY-RESOURCE-GROUP/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/MV-VM-01", "correlationId": "0f0cb6b4-804b-4129-b893-70aeeb63997e", "operationName": "Microsoft.Resourcehealth/healthevent/Updated/action", "level": "Information", "resultType": "Updated", "category": "ResourceHealth", "properties": {"eventCategory":"ResourceHealth","eventProperties":{"title":"This virtual machine is starting as requested by an authorized user or process. It will be online shortly.","details":"VirtualMachineStartInitiatedByControlPlane","currentHealthStatus":"Unknown","previousHealthStatus":"Unknown","type":"Downtime","cause":"UserInitiated"}}}

Legacy collection methods

If you're collecting activity logs using the legacy collection method, we recommend you export activity logs to your Log Analytics workspace and disable the legacy collection using the Data Sources - Delete API as follows:

  1. List all data sources connected to the workspace using the Data Sources - List By Workspace API and filter for activity logs by setting filter=kind='AzureActivityLog'.

    Screenshot showing the configuration of the Data Sources - List By Workspace API.

  2. Copy the name of the connection you want to disable from the API response.

    Screenshot showing the connection information you need to copy from the output of the Data Sources - List By Workspace API.

  3. Use the Data Sources - Delete API to stop collecting activity logs for the specific resource.

    Screenshot of the configuration of the Data Sources - Delete API.

Managing legacy log profiles

Log profiles are the legacy method for sending the activity log to storage or event hubs. If you're using this method, consider transitioning to diagnostic settings, which provide better functionality and consistency with resource logs.

If a log profile already exists, you first must remove the existing log profile, and then create a new one.

  1. Use Get-AzLogProfile to identify if a log profile exists. If a log profile exists, note the Name property.

  2. Use Remove-AzLogProfile to remove the log profile by using the value from the Name property.

    # For example, if the log profile name is 'default'
    Remove-AzLogProfile -Name "default"
    
  3. Use Add-AzLogProfile to create a new log profile:

    Add-AzLogProfile -Name my_log_profile -StorageAccountId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -serviceBusRuleId /subscriptions/s1/resourceGroups/Default-ServiceBus-EastUS/providers/Microsoft.ServiceBus/namespaces/mytestSB/authorizationrules/RootManageSharedAccessKey -Location global,westus,eastus -RetentionInDays 90 -Category Write,Delete,Action
    
    Property Required Description
    Name Yes Name of your log profile.
    StorageAccountId No Resource ID of the storage account where the activity log should be saved.
    serviceBusRuleId No Service Bus Rule ID for the Service Bus namespace where you want to have event hubs created. This string has the format {service bus resource ID}/authorizationrules/{key name}.
    Location Yes Comma-separated list of regions for which you want to collect activity log events.
    RetentionInDays Yes Number of days for which events should be retained in the storage account, from 1 through 365. A value of zero stores the logs indefinitely.
    Category No Comma-separated list of event categories to be collected. Possible values are Write, Delete, and Action.

Example script

This sample PowerShell script creates a log profile that writes the activity log to both a storage account and an event hub.

# Settings needed for the new log profile
$logProfileName = "default"
$locations = (Get-AzLocation).Location
$locations += "global"
$subscriptionId = "<your Azure subscription Id>"
$resourceGroupName = "<resource group name your Event Hub belongs to>"
$eventHubNamespace = "<Event Hub namespace>"

# Build the service bus rule Id from the settings above
$serviceBusRuleId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.EventHub/namespaces/$eventHubNamespace/authorizationrules/RootManageSharedAccessKey"

# Build the Storage Account Id from the settings above
$storageAccountId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"

Add-AzLogProfile -Name $logProfileName -Location $locations -StorageAccountId  $storageAccountId -ServiceBusRuleId $serviceBusRuleId

Data structure changes

The Export activity logs experience sends the same data as the legacy method used to send the activity log with some changes to the structure of the AzureActivity table.

The columns in the following table have been deprecated in the updated schema. They still exist in AzureActivity, but they have no data. The replacements for these columns aren't new, but they contain the same data as the deprecated column. They're in a different format, so you might need to modify log queries that use them.

Activity log JSON Log Analytics column name
(older deprecated)
New Log Analytics column name Notes
category Category CategoryValue
status

Values are success, start, accept, failure
ActivityStatus

Values same as JSON
ActivityStatusValue

Values change to succeeded, started, accepted, failed
The valid values change as shown.
subStatus ActivitySubstatus ActivitySubstatusValue
operationName OperationName OperationNameValue REST API localizes the operation name value. Log Analytics UI always shows English.
resourceProviderName ResourceProvider ResourceProviderValue

Important

In some cases, the values in these columns might be all uppercase. If you have a query that includes these columns, use the =~ operator to do a case-insensitive comparison.

The following columns have been added to AzureActivity in the updated schema:

  • Authorization_d
  • Claims_d
  • Properties_d

Next steps

Learn more about: