Queries for the AZMSRunTimeAuditLogs table
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Publish runtime successful connection for Advanced Message Queuing Protocol(AMQP).
AZMSRunTimeAuditLogs
| where Provider =~ "EventHub"
| where Protocol == "AMQP" and Status == "Success"
| project ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by ActivityName
Publish the failed entries for AAD auth.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "EventHub"
| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == "AAD" and Status != "Success"
| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, AuthKey, ActivityName
Publish the failed entries for SAS auth.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "EventHub"
| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == "SAS" and Status != "Success"
| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, AuthKey, ActivityName
Publish the runtime failure for send message event.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "EventHub"
| where isnotnull(NamespaceInfo) and Status != "Success" and ActivityName == "SendMessage"
| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, ActivityName
Publish the runtime failure for multiple namespaces.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "EventHub"
| where isnotnull(NamespaceInfo) and Status != "Success"
| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, ActivityName
This lists all the errors for the last 7 days.
AzureDiagnostics
| where ResourceProvider ==\"MICROSOFT.EVENTHUB\"
| where Category == \"OperationalLogs\"
| summarize count() by \"EventName\", _ResourceId
Publish runtime successful connection for Advanced Message Queuing Protocol(AMQP).
AZMSRunTimeAuditLogs
| where Provider =~ "ServiceBus"
| where Protocol == "AMQP" and Status == "Success"
| project ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by ActivityName
Publish the runtime failures for send message event.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "ServiceBus"
| where isnotnull(NamespaceInfo) and Status != "Success" and ActivityName == "SendMessage"
| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, ActivityName
Publish the runtime failure for multiple namespaces.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "ServiceBus"
| where isnotnull(NamespaceInfo) and Status != "Success"
| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, ActivityName
Publish the failed entries for AAD authorization.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "ServiceBus"
| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == "AAD" and Status != "Success"
| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, AuthKey, ActivityName
Publish the failed entries for SAS authorization.
AZMSRunTimeAuditLogs
| extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
| where Provider =~ "ServiceBus"
| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == "SAS" and Status != "Success"
| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId
| summarize by NamespaceInfo, AuthKey, ActivityName