Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,037 questions
Log Analytics data export missing important tables
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 45%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Janne Kujanpää
226
Reputation points
Log Analytics data export has been on GA over three weeks.
Tabled Storage{Blob,Files,Queue,Table}Logs, e.g. ADFSandbox{Activity,Pipeline}Runs AzureActivity and AzureDiagnostics are still not supported. That huge blocker for our use case and configuring some logs to long-term storage with Log Analytics Data Export and some other with Resources Diagnostics settings is not really an option we would like to use.
Is there any ETA when more table support is added for log analytics data export?
Missing support for
* AzureDiagnostics means that there is no support for e.g. keyvault audit logs
* Storage*Logs means that there is no support for storage audit logs
* AzureActivity means that there is not support for Azure control layer audit logs
Azure portal has uses definition of CustomLogsV2/Create/SupportedMicrosoftTables and it contains different set of tables than documentation:
diff -uw tables.txt supported-tables-from-docs-only-table-names.txt
--- tables.txt 2022-03-20 17:00:08.000000000 +0200
+++ supported-tables-from-docs-only-table-names.txt 2022-03-20 17:00:34.000000000 +0200
@@ -46,15 +46,11 @@
AgriFoodApplicationAuditLogs
AgriFoodFarmManagementLogs
AgriFoodFarmOperationLogs
-AgriFoodInsightLogs
AgriFoodJobProcessedLogs
-AgriFoodModelInferenceLogs
AgriFoodProviderAuthLogs
-AgriFoodSatelliteLogs
-AgriFoodWeatherLogs
Alert
AlertEvidence
-AmlOnlineEndpointConsoleLog
+AlertInfo
ApiManagementGatewayLogs
AppCenterError
AppPlatformSystemLogs
@@ -70,8 +66,6 @@
AzureAssessmentRecommendation
AzureDevOpsAuditing
BehaviorAnalytics
-BlockchainApplicationLog
-BlockchainProxyLog
CDBCassandraRequests
CDBControlPlaneRequests
CDBDataPlaneRequests
@@ -80,6 +74,9 @@
CDBPartitionKeyRUConsumption
CDBPartitionKeyStatistics
CDBQueryRuntimeStatistics
+CIEventsAudit
+CIEventsOperational
+CassandraLogs
CloudAppEvents
CommonSecurityLog
ComputerGroup
@@ -91,6 +88,7 @@
ContainerNodeInventory
ContainerServiceLog
CoreAzureBackup
+DSMAzureBlobStorageLogs
DatabricksAccounts
DatabricksClusters
DatabricksDBFS
@@ -101,10 +99,8 @@
DatabricksSSH
DatabricksSecrets
DatabricksWorkspace
-DeviceNetworkInfo
DnsEvents
DnsInventory
-DummyHydrationFact
Dynamics365Activity
EmailAttachmentInfo
EmailEvents
@@ -122,8 +118,10 @@
HDInsightHadoopAndYarnMetrics
HDInsightHiveAndLLAPLogs
HDInsightHiveAndLLAPMetrics
+HDInsightHiveQueryAppStats
HDInsightHiveTezAppStats
HDInsightJupyterNotebookEvents
+HDInsightKafkaLogs
HDInsightKafkaMetrics
HDInsightOozieLogs
HDInsightRangerAuditLogs
@@ -138,7 +136,11 @@
HDInsightSparkStageEvents
HDInsightSparkStageTaskAccumulables
HDInsightSparkTaskEvents
+Heartbeat
HuntingBookmark
+IdentityDirectoryEvents
+IdentityLogonEvents
+IdentityQueryEvents
InsightsMetrics
IntuneAuditLogs
IntuneDevices
@@ -151,21 +153,22 @@
KubeServices
LAQueryLogs
MCCEventLogs
+MCVPOperationLogs
McasShadowItReporting
MicrosoftAzureBastionAuditLogs
MicrosoftDataShareReceivedSnapshotLog
MicrosoftDataShareSentSnapshotLog
-MicrosoftDataShareShareLog
MicrosoftHealthcareApisAuditLogs
NWConnectionMonitorPathResult
NWConnectionMonitorTestResult
OfficeActivity
+Operation
Perf
PowerBIDatasetsWorkspace
+PurviewDataSensitivityLogs
PurviewScanStatusLogs
SCCMAssessmentRecommendation
SCOMAssessmentRecommendation
-SPAssessmentRecommendation
SQLAssessmentRecommendation
SQLSecurityAuditEvents
SecurityAlert
@@ -179,7 +182,6 @@
SecurityRecommendation
SentinelHealth
SfBAssessmentRecommendation
-SfBOnlineAssessmentRecommendation
SharePointOnlineAssessmentRecommendation
SignalRServiceDiagnosticLogs
SigninLogs
@@ -191,6 +193,8 @@
SynapseIntegrationPipelineRuns
SynapseIntegrationTriggerRuns
SynapseRbacOperations
+SynapseScopePoolScopeJobsEnded
+SynapseScopePoolScopeJobsStateChange
SynapseSqlPoolDmsWorkers
SynapseSqlPoolExecRequests
SynapseSqlPoolRequestSteps
@@ -198,10 +202,11 @@
SynapseSqlPoolWaits
Syslog
ThreatIntelligenceIndicator
+UCClientUpdateStatus
Update
UpdateRunProgress
UpdateSummary
-UserAccessAnalytics
+Usage
UserPeerAnalytics
WVDAgentHealthStatus
WVDCheckpoints
The difference or kind of worrisome but otoh portal does not really use that list for anything.
Is there any plans for a proper machine-readable endpoint that contains the list of supported tables?
{count} votes
-
Andrew Blumhardt 9,776 Reputation points Microsoft Employee2022-03-20T15:28:52.053+00:00 I am not aware of any public dates or plans for additional tables. I am sure there are more on the roadmap but just not anything that could be shared on a public forum. I personally haven't seen anything specific though the question does resurface periodically. Especially in relation to Sentinel tables.
I recommend sharing your concerns with your Microsoft support representatives and possibly opening a support case. The product groups are often responsive to customer feedback.
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal#limitations
-
Janne Kujanpää 226 Reputation points
2023-01-03T08:37:30.187+00:00 Support for AzureActivity, AzureDiagnostics, StorageBlobLogs, StorageFileLogs, StorageQueueLogs and StorageTableLogs is still missing.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 2%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYA%3C/text%3E%3C/svg%3E)
Yarash Agarwal 0 Reputation points2024-02-29T16:14:35.57+00:00 AzureDiagnostics is still missing. This is a serious limitation!!
-
Janne Kujanpää 226 Reputation points
2024-03-12T20:38:55.5766667+00:00 @Yarash Agarwal It was present on documentation for four weeks.
- Added: https://github.com/MicrosoftDocs/azure-docs/commit/5424f5ef1e98ccf3fc00e0bfde137514365d0691
- Removed: https://github.com/MicrosoftDocs/azure-docs/commit/7def238e848436cd2afde288c0218534ff8acc04
Removal commit has comments:
We don't have locked date at this point, but have this work prioritized for coming semester, which ends at the summer time. We hope to have AzureDiagnostics supported by then if all goes well.
Services just should stop using AzureDiagnostics. That would solve all the issues. Too bad e.g. key vault and azure SQL are still using that table.
AZKVAuditLogs is already present in the export list and it has been leaked into Azure monitor examples at least once but still resource-specific table selection is not available for key vault.
Sign in to comment