Log Analytics data export missing important tables

Janne Kujanpää 181 Reputation points
2022-03-20T15:05:51.263+00:00

Log Analytics data export has been on GA over three weeks.

Tabled Storage{Blob,Files,Queue,Table}Logs, e.g. ADFSandbox{Activity,Pipeline}Runs AzureActivity and AzureDiagnostics are still not supported. That huge blocker for our use case and configuring some logs to long-term storage with Log Analytics Data Export and some other with Resources Diagnostics settings is not really an option we would like to use.

Is there any ETA when more table support is added for log analytics data export?

Missing support for
* AzureDiagnostics means that there is no support for e.g. keyvault audit logs
* Storage*Logs means that there is no support for storage audit logs
* AzureActivity means that there is not support for Azure control layer audit logs

Azure portal has uses definition of CustomLogsV2/Create/SupportedMicrosoftTables and it contains different set of tables than documentation:

diff -uw tables.txt supported-tables-from-docs-only-table-names.txt 
--- tables.txt  2022-03-20 17:00:08.000000000 +0200
+++ supported-tables-from-docs-only-table-names.txt     2022-03-20 17:00:34.000000000 +0200
@@ -46,15 +46,11 @@
 AgriFoodApplicationAuditLogs
 AgriFoodFarmManagementLogs
 AgriFoodFarmOperationLogs
-AgriFoodInsightLogs
 AgriFoodJobProcessedLogs
-AgriFoodModelInferenceLogs
 AgriFoodProviderAuthLogs
-AgriFoodSatelliteLogs
-AgriFoodWeatherLogs
 Alert
 AlertEvidence
-AmlOnlineEndpointConsoleLog
+AlertInfo 
 ApiManagementGatewayLogs
 AppCenterError
 AppPlatformSystemLogs
@@ -70,8 +66,6 @@
 AzureAssessmentRecommendation
 AzureDevOpsAuditing
 BehaviorAnalytics
-BlockchainApplicationLog
-BlockchainProxyLog
 CDBCassandraRequests
 CDBControlPlaneRequests
 CDBDataPlaneRequests
@@ -80,6 +74,9 @@
 CDBPartitionKeyRUConsumption
 CDBPartitionKeyStatistics
 CDBQueryRuntimeStatistics
+CIEventsAudit 
+CIEventsOperational 
+CassandraLogs 
 CloudAppEvents
 CommonSecurityLog
 ComputerGroup
@@ -91,6 +88,7 @@
 ContainerNodeInventory
 ContainerServiceLog
 CoreAzureBackup
+DSMAzureBlobStorageLogs 
 DatabricksAccounts
 DatabricksClusters
 DatabricksDBFS
@@ -101,10 +99,8 @@
 DatabricksSSH
 DatabricksSecrets
 DatabricksWorkspace
-DeviceNetworkInfo
 DnsEvents
 DnsInventory
-DummyHydrationFact
 Dynamics365Activity
 EmailAttachmentInfo
 EmailEvents
@@ -122,8 +118,10 @@
 HDInsightHadoopAndYarnMetrics
 HDInsightHiveAndLLAPLogs
 HDInsightHiveAndLLAPMetrics
+HDInsightHiveQueryAppStats 
 HDInsightHiveTezAppStats
 HDInsightJupyterNotebookEvents
+HDInsightKafkaLogs 
 HDInsightKafkaMetrics
 HDInsightOozieLogs
 HDInsightRangerAuditLogs
@@ -138,7 +136,11 @@
 HDInsightSparkStageEvents
 HDInsightSparkStageTaskAccumulables
 HDInsightSparkTaskEvents
+Heartbeat 
 HuntingBookmark
+IdentityDirectoryEvents 
+IdentityLogonEvents 
+IdentityQueryEvents 
 InsightsMetrics
 IntuneAuditLogs
 IntuneDevices
@@ -151,21 +153,22 @@
 KubeServices
 LAQueryLogs
 MCCEventLogs
+MCVPOperationLogs 
 McasShadowItReporting
 MicrosoftAzureBastionAuditLogs
 MicrosoftDataShareReceivedSnapshotLog
 MicrosoftDataShareSentSnapshotLog
-MicrosoftDataShareShareLog
 MicrosoftHealthcareApisAuditLogs
 NWConnectionMonitorPathResult
 NWConnectionMonitorTestResult
 OfficeActivity
+Operation 
 Perf
 PowerBIDatasetsWorkspace
+PurviewDataSensitivityLogs 
 PurviewScanStatusLogs
 SCCMAssessmentRecommendation
 SCOMAssessmentRecommendation
-SPAssessmentRecommendation
 SQLAssessmentRecommendation
 SQLSecurityAuditEvents
 SecurityAlert
@@ -179,7 +182,6 @@
 SecurityRecommendation
 SentinelHealth
 SfBAssessmentRecommendation
-SfBOnlineAssessmentRecommendation
 SharePointOnlineAssessmentRecommendation
 SignalRServiceDiagnosticLogs
 SigninLogs
@@ -191,6 +193,8 @@
 SynapseIntegrationPipelineRuns
 SynapseIntegrationTriggerRuns
 SynapseRbacOperations
+SynapseScopePoolScopeJobsEnded 
+SynapseScopePoolScopeJobsStateChange 
 SynapseSqlPoolDmsWorkers
 SynapseSqlPoolExecRequests
 SynapseSqlPoolRequestSteps
@@ -198,10 +202,11 @@
 SynapseSqlPoolWaits
 Syslog
 ThreatIntelligenceIndicator
+UCClientUpdateStatus 
 Update
 UpdateRunProgress
 UpdateSummary
-UserAccessAnalytics
+Usage 
 UserPeerAnalytics
 WVDAgentHealthStatus
 WVDCheckpoints

The difference or kind of worrisome but otoh portal does not really use that list for anything.

Is there any plans for a proper machine-readable endpoint that contains the list of supported tables?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,867 questions
{count} votes