Share via

Query Azure Activity logs for the subscription using api.loganalytics.io

Thangavel Daniel Tamilarasan 271 Reputation points
2021-08-18T09:14:03.853+00:00

I want to use the log analytics api to query the workspace for azure activity logs. In the workspace, when the scope is set to Subscription , below query returns all activity. 

AzureActivity
| where Category == "Administrative"
| where ActivityStatusValue =='Succeeded'
| where parse_json(Authorization).action contains "write"
| project OperationName,Caller, ResourceGroup,ResourceProviderValue,ActivityStatusValue,ActivitySubstatusValue, Authorization,OperationNameValue,Properties

However when i run the same query from log analytics api , I don't get any response. Seems I should find a way to set the scope to subscription instead of workspace.

POST : https://api.loganalytics.io/v1/workspaces/xxxxxxxxxxxxxxxxxxx/query
Authoirization : Bearer (xxxxxxxxxx) 

{
  "query": "AzureActivity\n| where Category == \"Administrative\"\n| where ActivityStatusValue =='Succeeded'\n| where parse_json(Authorization).action contains \"write\"\n| project OperationName,Caller, ResourceGroup,ResourceProviderValue,ActivityStatusValue,ActivitySubstatusValue, Authorization,OperationNameValue,Properties",
  "timespan": "PT24H"
}

Much appreciate your help!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
0 comments
Answer accepted by question author
  1. tbgangav-MSFT 10,426 Reputation points Moderator
    2021-08-18T15:33:53.83+00:00

    Hi @Thangavel Daniel Tamilarasan ,

    Short answer:
    AFAIK you should use this REST API to get the list of records from activity logs with subscription scope.

    Long answer:
    When you have mentioned that you have tried to set the scope to Subscription via the Azure Portal way (probable from Logs tile of your Log Analytics Workspace), then it actually didn't fetch the activity logs records that are sent to Log Analytics Workspace but it fetched them due to default settings to Azure Monitor. To double check the same, you may go to Logs tile of Azure Monitor in your Azure Portal and try the same query with scope set to Subscription and then you should probably see the same set of results as output.

    When you also have mentioned that you didn't receive any response (assuming any output) after trying this api.loganalytics.io POST REST API, then probably its because you didn't configure sending activity logs to your Log Analytics Workspace.

    If you have already configured it then try it out by setting the scope to your Log Analytics Workspace via Azure Portal way and validate if you see results in the output.

    If you don't see any results in the output, then double check if you have correctly configured sending activity logs to your Log Analytics workspace in either of these two ways i.e., via Activity logs diagnostics settings or via legacy method or not.

    Also just FYI:

    • As shown in below screenshot, we have 3 more activity logs associated REST API's that are related to Azure Monitor REST API reference. Sharing this information in case you wanted to try out other Azure Monitor activity logs related REST API's.

    124353-image.png

    • This Azure Monitor Logs REST API is new REST API and is equivalent of this api.loganalytics.io POST REST API which you have tried to use. So, if interested, you may use the new Azure Monitor Logs REST API instead of the old api.loganalytics.io POST REST API.

    Related reference:
    https://learn.microsoft.com/en-us/answers/questions/320437/index.html

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.