Diagnostic settings and resource logs

  • 8 minutes

Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. Platform logs are automatically generated.

The following platform logs are available within Azure:

  • Resource logs. Resource logs provide an insight into operations that were performed within an Azure resource. This is known as the data plane. Examples include getting a secret from a key vault, or making a request to a database. The contents of resource logs varies according to the Azure service and resource type. Resource logs were previously referred to as diagnostic logs.
  • Activity logs. Activity logs provide an insight into the operations performed on each Azure resource in the subscription from the outside, known as the management plane, in addition to updates on Service Health events. Use the Activity log to determine what, who, and when for any write operation (PUT, POST, DELETE) executed on the resources in your subscription. There's a single activity log for each Azure subscription.
  • Microsoft Entra ID logs. Entra ID logs contain the history of sign-in activity and an audit trail of changes made in Entra ID for a particular tenant. (Previously termed the Azure Active Directory logs.)

Viewing platform logs

There are different options for viewing and analyzing the different Azure platform logs:

  • View the activity log using the Azure portal and access events from PowerShell and the Azure CLI. See View the activity log for details.
  • View Azure AD security and activity reports in the Azure portal. See What are Azure AD reports? for details.
  • Resource logs are automatically generated by supported Azure resources. You must create a diagnostic setting for the resource to store and view the log.

Diagnostic settings

Resource logs must have a diagnostic setting to be viewed. Create a diagnostic setting to send platform logs to one of the following destinations for analysis or other purposes.

  • Log Analytics workspace. Analyze the logs of all your Azure resources together and take advantage of all the features available to Azure Monitor Logs including log queries and log alerts. Pin the results of a log query to an Azure dashboard or include it in a workbook as part of an interactive report.
  • Event hub. Send platform log data outside of Azure, for example, to a third-party SIEM or custom telemetry platform via Event hubs.
  • Azure Storage. Archive the logs to Azure storage for audit or backup.

Platform metrics are sent automatically to Azure Monitor Metrics by default and without configuration. Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on:

  • Resource logs aren't collected until they're routed to a destination.
  • Activity logs exist on their own but can be routed to other locations.

Each Azure resource requires its own diagnostic setting, which defines the following criteria:

  • Sources: The type of metric and log data to send to the destinations defined in the setting. The available types vary by resource type.
  • Destinations: One or more destinations to send to.

A single diagnostic setting can define no more than one of each of the destinations. If you want to send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), create multiple settings. Each resource can have up to five diagnostic settings.

There are three sources for diagnostic information:

  • Metrics
  • Resource Logs
  • Activity logs

The AllMetrics setting routes a resource's platform metrics to other destinations. This option might not be present for all resource providers.

Resource logs

With logs, you can select the log categories you want to route individually or choose a category group. You can use category groups to dynamically collect resource logs based on predefined groupings instead of selecting individual log categories. Microsoft defines the groupings to help monitor specific use cases across all Azure services. Category groups don't apply to all metric resource providers.

You can use category groups to dynamically collect resource logs based on predefined groupings instead of selecting individual log categories. Use these groupings to help monitor specific use cases across all Azure services.

When you use category groups, you can no longer:

  • Select individual resource logs based on individual category types.
  • Apply retention settings to logs sent to Azure Storage.

There are two category groups:

  • All. Every resource log offered by the resource.
  • Audit. All resource logs that record customer interactions with data or the settings of the service. Audit logs are an attempt by each resource provider to provide the most relevant audit data, but may not be considered sufficient from an auditing standards perspective.

The Audit category is a subset of All, but the Azure portal and REST API consider them separate settings. Selecting All does collect all audit logs regardless of if the Audit category is also selected.

Activity log

The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified, or a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI.

For more functionality, create a diagnostic setting to send the activity log to one or more of these locations for the following reasons:

  • Azure Monitor Logs – for more complex querying and alerting and for longer retention, up to two years.
  • Azure Event Hubs – to forward outside of Azure.
  • Azure Storage – for cheaper, long-term archiving.

You can access the activity log from most menus in the Azure portal. The menu that you open it from determines its initial filter. If you open it from the Monitor menu, the only filter is on the subscription. If you open it from a resource's menu, the filter is set to that resource. You can always change the filter to view all other entries. Activity log events are retained in Azure for 90 days and then deleted.

You can send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature, where you:

  • Correlate activity log data with other monitoring data collected by Azure Monitor.
  • Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.
  • Use log queries to perform complex analysis and gain deep insights on activity log entries.
  • Use log alerts with Activity entries for more complex alerting logic.
  • Store activity log entries for longer than the activity log retention period.

To send the activity log to a Log Analytics workspace select Export Activity Logs from the Activity Logs page. You can send the activity log from any single subscription to up to five workspaces. Activity log data in a Log Analytics workspace is stored in a table called AzureActivity that you can retrieve with a log query in Log Analytics. The structure of this table varies depending on the category of the log entry.

Send the activity log to an Azure Storage account if you want to retain your log data longer than 90 days for audit, static analysis, or back up. When you send the activity log to Azure, a storage container is created in the storage account as soon as an event occurs.