Overview of Azure platform logs

Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. Platform logs are automatically generated. This article provides an overview of platform logs including the information they provide, and how to configure them for collection and analysis.

Types of platform logs

The following table lists the platform logs that are available at different layers within Azure.

Log Layer Description
Resource logs Azure Resources Resource logs provide an insight into operations that were performed within an Azure resource. This is known as the data plane. Examples include getting a secret from a key vault, or making a request to a database. The contents of resource logs varies according to the Azure service and resource type.

Resource logs were previously referred to as diagnostic logs.
Activity logs Azure Subscription Activity logs provide an insight into the operations performed on each Azure resource in the subscription from the outside, known as the management plane. in addition to updates on Service Health events. Use the Activity log to determine what, who, and when for any write operation (PUT, POST, DELETE) executed on the resources in your subscription. There's a single activity log for each Azure subscription.
Microsoft Entra logs Azure Tenant Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.

Note

The Azure activity log is primarily for activities that occur in Azure Resource Manager. The activity log doesn't track resources by using the classic/RDFE model. Some classic resource types have a proxy resource provider in Resource Manager, for example, Microsoft.ClassicCompute. If you interact with a classic resource type through Resource Manager by using these proxy resource providers, the operations appear in the activity log. If you interact with a classic resource type outside of the Resource Manager proxies, your actions are only recorded in the Operation log. The Operation log can be browsed in a separate section of the portal.

A diagram showing the types of platform logs and where the logs can be sent.

View platform logs

There are different options for viewing and analyzing the different Azure platform logs:

  • View the activity log using the Azure portal and access events from PowerShell and the Azure CLI. See View the activity log for details.
  • View Microsoft Entra security and activity reports in the Azure portal. See What are Microsoft Entra reports? for details.
  • Resource logs are automatically generated by supported Azure resources. You must create a diagnostic setting for the resource to store and view the log.

Diagnostic settings

Resource logs must have a diagnostic setting to be viewed. Create a diagnostic setting to send platform logs to one of the following destinations for analysis or other purposes.

Destination Description
Log Analytics workspace Analyze the logs of all your Azure resources together and take advantage of all the features available to Azure Monitor Logs including log queries and log search alerts. Pin the results of a log query to an Azure dashboard or include it in a workbook as part of an interactive report.
Event hub Send platform log data outside of Azure, for example, to a third-party SIEM or custom telemetry platform via Event hubs
Azure Storage Archive the logs to Azure storage for audit or backup.
Azure Monitor partner integrations Partner integrations are specialized integrations between Azure Monitor and non-Microsoft monitoring platforms. Partner integrations are especially useful when you're already using one of the supported partners.

Pricing model

Processing data to stream logs is charged for certain services when sent to destinations other than a Log Analytics workspace.

While there's no direct charge when this data is sent from the resource to a Log Analytics workspace, there's a Log Analytics charge for ingesting the data into a workspace. The charge is based on the number of bytes in the exported JSON-formatted log data, measured in GB (10^9 bytes).

Pricing is available on the Azure Monitor pricing page.

Next steps