Overview of Azure platform logs
Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. Platform logs are automatically generated. This article provides an overview of platform logs including the information they provide, and how to configure them for collection and analysis.
Types of platform logs
The following table lists the platform logs that are available at different layers within Azure.
|Resource logs provide an insight into operations that were performed within an Azure resource. This is known as the data plane. Examples include getting a secret from a key vault, or making a request to a database. The contents of resource logs varies according to the Azure service and resource type.
Resource logs were previously referred to as diagnostic logs.
|Activity logs provide an insight into the operations performed on each Azure resource in the subscription from the outside, known as the management plane. in addition to updates on Service Health events. Use the Activity log to determine what, who, and when for any write operation (PUT, POST, DELETE) executed on the resources in your subscription. There's a single activity log for each Azure subscription.
|Microsoft Entra logs
|Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.
The Azure activity log is primarily for activities that occur in Azure Resource Manager. The activity log doesn't track resources by using the classic/RDFE model. Some classic resource types have a proxy resource provider in Resource Manager, for example, Microsoft.ClassicCompute. If you interact with a classic resource type through Resource Manager by using these proxy resource providers, the operations appear in the activity log. If you interact with a classic resource type outside of the Resource Manager proxies, your actions are only recorded in the Operation log. The Operation log can be browsed in a separate section of the portal.
View platform logs
There are different options for viewing and analyzing the different Azure platform logs:
- View the activity log using the Azure portal and access events from PowerShell and the Azure CLI. See View the activity log for details.
- View Microsoft Entra security and activity reports in the Azure portal. See What are Microsoft Entra reports? for details.
- Resource logs are automatically generated by supported Azure resources. You must create a diagnostic setting for the resource to store and view the log.
Resource logs must have a diagnostic setting to be viewed. Create a diagnostic setting to send platform logs to one of the following destinations for analysis or other purposes.
|Log Analytics workspace
|Analyze the logs of all your Azure resources together and take advantage of all the features available to Azure Monitor Logs including log queries and log search alerts. Pin the results of a log query to an Azure dashboard or include it in a workbook as part of an interactive report.
|Send platform log data outside of Azure, for example, to a third-party SIEM or custom telemetry platform via Event hubs
|Archive the logs to Azure storage for audit or backup.
|Azure Monitor partner integrations
|Partner integrations are specialized integrations between Azure Monitor and non-Microsoft monitoring platforms. Partner integrations are especially useful when you're already using one of the supported partners.
- For details on how to create a diagnostic setting for activity logs or resource logs, see Create diagnostic settings to send platform logs and metrics to different destinations.
- For details on how to create a diagnostic setting for Microsoft Entra logs, see the following articles:
Processing data to stream logs is charged for certain services when sent to destinations other than a Log Analytics workspace.
While there's no direct charge when this data is sent from the resource to a Log Analytics workspace, there's a Log Analytics charge for ingesting the data into a workspace. The charge is based on the number of bytes in the exported JSON-formatted log data, measured in GB (10^9 bytes).
Pricing is available on the Azure Monitor pricing page.