MicrosoftDocs
diff --git a/‎articles/azure-monitor/essentials/activity-log.md
Lines changed: 28 additions & 29 deletions b/‎articles/azure-monitor/essentials/activity-log.md
Lines changed: 28 additions & 29 deletions
diff --git a/‎articles/azure-monitor/essentials/media/activity-log/diagnostic-settings-export.png
82.7 KB b/‎articles/azure-monitor/essentials/media/activity-log/diagnostic-settings-export.png
82.7 KB
@@ -9,9 +9,9 @@ ms.author: bwren
 ---
 
 # Azure Activity log
-The Activity log is a [platform log](./platform-logs-overview.md) in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI.   This article provides details on viewing the Activity log and sending it to different destinations.
+The Activity log is a [platform log](./platform-logs-overview.md) in Azure that provides insight into subscription-level events. Activity log includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity sign in the Azure portal or retrieve entries with PowerShell and CLI.   This article provides details on viewing the Activity log and sending it to different destinations.
 
-For additional functionality, you should create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons: 
+For more functionality, you should create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons: 
 -	to [Azure Monitor Logs](../logs/data-platform-logs.md) for more complex querying and alerting, and longer retention (up to 2 years) 
 -	to Azure Event Hubs to forward outside of Azure
 -	to Azure Storage for cheaper, long-term archiving
@@ -23,10 +23,10 @@ See [Create diagnostic settings to send platform logs and metrics to different d
 
 ## Retention Period 
 
-Activity log events are retained in Azure for **90 days** and then deleted. There is no charge for entries during this time regardless of volume. For additional functionality such as longer retention, you should create a diagnostic setting and route the entires to another location based on your needs. See the criteria in the earlier section of this article. 
+Activity log events are retained in Azure for **90 days** and then deleted. There is no charge for entries during this time regardless of volume. For more functionality such as longer retention, you should create a diagnostic setting and route the entires to another location based on your needs. See the criteria in the earlier section of this article. 
 
 ## View the Activity log
-You can access the Activity log from most menus in the Azure portal. The menu that you open it from determines its initial filter. If you open it from the **Monitor** menu, then the only filter will be on the subscription. If you open it from a resource's menu, then the filter will be set to that resource. You can always change the filter though to view all other entries. Click **Add Filter** to add additional properties to the filter.
+You can access the Activity log from most menus in the Azure portal. The menu that you open it from determines its initial filter. If you open it from the **Monitor** menu, then the only filter will be on the subscription. If you open it from a resource's menu, then the filter is set to that resource. You can always change the filter though to view all other entries. Select **Add Filter** to add more properties to the filter.
 
 ![View Activity Log](./media/activity-log/view-activity-log.png)
 
@@ -43,13 +43,13 @@ For some events, you can view the Change history, which shows what changes happe
 
 ![Change history list for an event](media/activity-log/change-history-event.png)
 
-If there are any associated changes with the event, you'll see a list of changes that you can select. This opens up the **Change history (Preview)** page. On this page, you see the changes to the resource. In the following example, you can see not only that the VM changed sizes, but what the previous VM size was before the change and what it was changed to. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md).
+If there are any associated changes with the event, you will see a list of changes that you can select. This opens up the **Change history (Preview)** page. On this page, you see the changes to the resource. In the following example, you can see not only that the VM changed sizes, but what the previous VM size was before the change and what it was changed to. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md).
 
 ![Change history page showing differences](media/activity-log/change-history-event-details.png)
 
 
 ### Other methods to retrieve Activity log events
-You can also access Activity log events using the following methods.
+You can also access Activity log events using the following methods:
 
 - Use the [Get-AzLog](/powershell/module/az.monitor/get-azlog) cmdlet to retrieve the Activity Log from PowerShell. See [Azure Monitor PowerShell samples](../powershell-samples.md#retrieve-activity-log).
 - Use [az monitor activity-log](/cli/azure/monitor/activity-log) to retrieve the Activity Log from CLI.  See [Azure Monitor CLI samples](../cli-samples.md#view-activity-log).
@@ -68,18 +68,18 @@ You can also access Activity log events using the following methods.
 - No data retention charges for the first 90 days for Activity log data stored in a Log Analytics workspace.
 
 
-[Create a diagnostic setting](./diagnostic-settings.md) to send the Activity log to a Log Analytics workspace. You can send the Activity log from any single subscription to up to five  workspaces. 
+[Create a diagnostic setting](./diagnostic-settings.md) to send the Activity log to a Log Analytics workspace. You can send the Activity log from any single subscription to up to five workspaces. 
 
 Activity log data in a Log Analytics workspace is stored in a table called *AzureActivity* that you can retrieve with a [log query](../logs/log-query-overview.md) in [Log Analytics](../logs/log-analytics-tutorial.md). The structure of this table varies depending on the [category of the log entry](activity-log-schema.md). For a description of the table properties, see the [Azure Monitor data reference](/azure/azure-monitor/reference/tables/azureactivity).
 
-For example, to view a count of Activity log records for each category, use the following query.
+For example, to view a count of Activity log records for each category, use the following query:
 
 ```kusto
 AzureActivity
 | summarize count() by CategoryValue
 ```
 
-To retrieve all records in the administrative category, use the following query.
+To retrieve all records in the administrative category, use the following query:
 
 ```kusto
 AzureActivity
@@ -149,7 +149,7 @@ Following is sample output data from Event Hubs for an Activity log:
 ```
 
 ## Send to Azure storage
-Send the Activity Log to an Azure Storage Account if you want to retain your log data longer than 90 days for audit, static analysis, or backup. If you only need to retain your events for 90 days or less you do not need to set up archival to a Storage Account, since Activity Log events are retained in the Azure platform for 90 days.
+Send the Activity Log to an Azure Storage Account if you want to retain your log data longer than 90 days for audit, static analysis, or backup. If you only must retain your events for 90 days or less you do not need to set up archival to a Storage Account, since Activity Log events are retained in the Azure platform for 90 days.
 
 When you send the Activity log to Azure, a storage container is created in the Storage Account as soon as an event occurs. The blobs in the container use the following naming convention:
 
@@ -179,18 +179,18 @@ This section describes legacy methods for collecting the Activity log that were
 Log profiles are the legacy method for sending the Activity log to Azure storage or Event Hubs. Use the following procedure to continue working with a log profile or to disable it in preparation for migrating to a diagnostic setting.
 
 1. From the **Azure Monitor** menu in the Azure portal, select **Activity log**.
-3. Click **Diagnostic settings**.
+3. Select **Export Activity Logs**.
 
-   ![Diagnostic settings](media/activity-log/diagnostic-settings.png)
+   ![Export activity logs](media/activity-log/diagnostic-settings-export.png)
 
-4. Click the purple banner for the legacy experience.
+4. Select the purple banner for the legacy experience.
 
     ![Legacy experience](media/activity-log/legacy-experience.png)
 
 
 ### Configure log profile using PowerShell
 
-If a log profile already exists, you first need to remove the existing log profile and then create a new one.
+If a log profile already exists, you first must remove the existing log profile and then create new one.
 
 1. Use `Get-AzLogProfile` to identify if a log profile exists.  If a log profile does exist, note the *name* property.
 
@@ -213,7 +213,7 @@ If a log profile already exists, you first need to remove the existing log profi
     | StorageAccountId |No |Resource ID of the Storage Account where the Activity Log should be saved. |
     | serviceBusRuleId |No |Service Bus Rule ID for the Service Bus namespace you would like to have Event Hubs created in. This is a string with the format: `{service bus resource ID}/authorizationrules/{key name}`. |
     | Location |Yes |Comma-separated list of regions for which you would like to collect Activity Log events. |
-    | RetentionInDays |Yes |Number of days for which events should be retained in the Storage Account, between 1 and 365. A value of zero stores the logs indefinitely. |
+    | RetentionInDays |Yes |Number of days for which events should be retained in the Storage Account, from 1 through 365. A value of zero stores the logs indefinitely. |
     | Category |No |Comma-separated list of event categories that should be collected. Possible values are _Write_, _Delete_, and _Action_. |
 
 ### Example script
@@ -240,11 +240,11 @@ Following is a sample PowerShell script to create a log profile that writes the
 
 ### Configure log profile using Azure CLI
 
-If a log profile already exists, you first need to remove the existing log profile and then create a new log profile.
+If a log profile already exists, you first must remove the existing log profile and then create a log profile.
 
 1. Use `az monitor log-profiles list` to identify if a log profile exists.
 2. Use `az monitor log-profiles delete --name "<log profile name>` to remove the log profile using the value from the *name* property.
-3. Use `az monitor log-profiles create` to create a new log profile:
+3. Use `az monitor log-profiles create` to create a log profile:
 
    ```azurecli-interactive
    az monitor log-profiles create --name "default" --location null --locations "global" "eastus" "westus" --categories "Delete" "Write" "Action"  --enabled false --days 0 --service-bus-rule-id "/subscriptions/<YOUR SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP NAME>/providers/Microsoft.EventHub/namespaces/<Event Hub NAME SPACE>/authorizationrules/RootManageSharedAccessKey"
@@ -254,31 +254,31 @@ If a log profile already exists, you first need to remove the existing log profi
     | name |Yes |Name of your log profile. |
     | storage-account-id |Yes |Resource ID of the Storage Account to which Activity Logs should be saved. |
     | locations |Yes |Space-separated list of regions for which you would like to collect Activity Log events. You can view a list of all regions for your subscription using `az account list-locations --query [].name`. |
-    | days |Yes |Number of days for which events should be retained, between 1 and 365. A value of zero will store the logs indefinitely (forever).  If zero, then the enabled parameter should be set to false. |
+    | days |Yes |Number of days for which events should be retained, from 1 through 365. A value of zero will store the logs indefinitely (forever).  If zero, then the enabled parameter should be set to false. |
     |enabled | Yes |True or False.  Used to enable or disable the retention policy.  If True, then the days parameter must be a value greater than 0.
     | categories |Yes |Space-separated list of event categories that should be collected. Possible values are Write, Delete, and Action. |
 
 
 ### Log Analytics workspace
-The legacy method for sending the Activity log into a Log Analytics workspace is connecting the log in the workspace configuration. 
+The legacy method for sending the Activity log into a Log Analytics workspace is connecting the sign in the workspace configuration. 
 
 1. From the **Log Analytics workspaces** menu in the Azure portal, select the workspace to collect the Activity Log.
 1. In the **Workspace Data Sources** section of the workspace's menu, select **Azure Activity log**.
-1. Click the subscription you want to connect.
+1. Select the subscription that you want to connect.
 
     ![Screenshot shows Log Analytics workspace with an Azure Activity log selected.](media/activity-log/workspaces.png)
 
-2. Click **Connect** to connect the Activity log in the subscription to the selected workspace. If the subscription is already connected to another workspace, click **Disconnect** first to disconnect it.
+2. Select **Connect** to connect the Activity sign in the subscription to the selected workspace. If the subscription is already connected to another workspace, select **Disconnect** first to disconnect it.
 
     ![Connect Workspaces](media/activity-log/connect-workspace.png)
 
 
-To disable the setting, perform the same procedure and click **Disconnect** to remove the subscription from the workspace.
+To disable the setting, perform the same procedure and select **Disconnect** to remove the subscription from the workspace.
 
 ### Data structure changes
-Diagnostic settings send the same data as the legacy method used to send the Activity log with some changes to the structure of the *AzureActivity* table.
+The Export activity logs experience, sends the same data as the legacy method used to send the Activity log with some changes to the structure of the *AzureActivity* table.
 
-The columns in the following table have been deprecated in the updated schema. They still exist in *AzureActivity* but they will have no data. The replacements for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so you may need to modify log queries that use them. 
+The columns in the following table have been deprecated in the updated schema. They still exist in *AzureActivity* but they have no data. The replacements for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so you might need to modify log queries that use them. 
 
 |Activity Log JSON | 	Log Analytics column name<br/>*(older deprecated)*	| New Log Analytics column name |	Notes |
 |:---------|:---------|:---------|:---------|
@@ -291,7 +291,7 @@ The columns in the following table have been deprecated in the updated schema. T
 > [!Important]
 > In some cases, the values in these columns may be in all uppercase. If you have a query that includes these columns, you should use the [=~ operator](/azure/kusto/query/datatypes-string-operators) to do a case insensitive comparison.
 
-The following column have been added to *AzureActivity* in the updated schema:
+The following columns have been added to *AzureActivity* in the updated schema:
 
 - Authorization_d
 - Claims_d
@@ -309,14 +309,14 @@ Monitoring solutions are accessed from the **Monitor** menu in the Azure portal.
 ![Azure Activity Logs tile](media/activity-log/azure-activity-logs-tile.png)
 
 
-Click the **Azure Activity Logs** tile to open the **Azure Activity Logs** view. The view includes the visualization parts in the following table. Each part lists up to 10 items matching that part's criteria for the specified time range. You can run a log query that returns all  matching records by clicking **See all** at the bottom of the part.
+Select the **Azure Activity Logs** tile to open the **Azure Activity Logs** view. The view includes the visualization parts in the table. Each part lists up to 10 items that matches that part's criteria for the specified time range. You can run a log query that returns all  matching records by clicking **See all** at the bottom of the part.
 
 ![Azure Activity Logs dashboard](media/activity-log/activity-log-dash.png)
 
 
 ### Enable the solution for new subscriptions
 > [!NOTE]
->You will soon no longer be able to add the Activity Logs Analytics solution to your subscription using the Azure portal. You can add it using the following procedure with a Resource Manager template. 
+>You will soon no longer be able to add the Activity Logs Analytics solution to your subscription with the Azure portal. You can add it using the following procedure with a Resource Manager template. 
 
 1. Copy the following json into a file called *ActivityLogTemplate*.json.
 
@@ -407,7 +407,6 @@ Click the **Azure Activity Logs** tile to open the **Azure Activity Logs** view.
 
 
 ## Next steps
-
 * [Read an overview of platform logs](./platform-logs-overview.md)
 * [Review Activity log event schema](activity-log-schema.md)
-* [Create diagnostic setting to send Activity logs to other destinations](./diagnostic-settings.md)
+* [Create diagnostic setting to send Activity logs to other destinations](./diagnostic-settings.md)