Different ways of slicing and dicing OMS Log Data in Azure - VM Creation

Azure is in deed and in fact like an ocean with various entities within it pumping out enormous amounts of logging, event information. This is also what makes it somewhat overwhelming as to where to look for under the hood as to what happened.  [Please click on pic to get a clearer version]

The below is an example of a simple requirement to list all VM Created, along with who created them and when they were created.

I outline two methods below. Pick and choose what is appropriate for your needs.

Method 1

Using the Activity Logs for the subscriptions from the Azure Portal

 

  1. Go to "More Services" as shown below.

[Please click on pic to get a clearer version]

 

  1. On the Search pane type "Log" and choose Activity Logs

 

[Please click on pic to get a clearer version]

 

Configure the Query parameters as follows:-

[caption id="attachment_1756" align="alignnone" width="300"] Activity Log Query  [Please click on pic to get a clearer version] [/caption] 

 

 

Method 2

 

Using OMS Log Analytics

For this one has to have an OMS workspace associated to the subscription.

QUERY TEXT

 

AzureActivity

| where OperationName endswith "Write"

| where ActivityStatus == "Succeeded"

| where ActivitySubstatus contains "Created"

| project resourceName=Resource, CreatedBy=Caller, dateTimeOfCreation=TimeGenerated, ResourceGroup, SubscriptionId, ResourceId

[caption id="attachment_1765" align="aligncenter" width="734"] OMS Log Analytics Query  [Please click on pic to get a clearer version] [/caption]There are various schemas you can check to see if it is the one that contains the data that you want to query on. A sample of these schemas is shown below.

[caption id="attachment_1785" align="alignnone" width="300"] Various Schemas[/caption]