You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/alerts/activity-log-alerts.md
+38-18Lines changed: 38 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,34 +2,44 @@
2
2
title: Activity log alerts in Azure Monitor
3
3
description: Be notified via SMS, webhook, SMS, email and more, when certain events occur in the activity log.
4
4
ms.topic: conceptual
5
-
ms.date: 09/17/2018
5
+
ms.date: 04/04/2022
6
6
7
7
---
8
8
9
9
# Alerts on activity log
10
10
11
11
## Overview
12
12
13
-
Activity log alerts are alerts that activate when a new [activity log event](../essentials/activity-log-schema.md) occurs that matches the conditions specified in the alert. Based on the order and volume of the events recorded in [Azure activity log](../essentials/platform-logs-overview.md), the alert rule will fire. Activity log alert rules are Azure resources, so they can be created by using an Azure Resource Manager template. They also can be created, updated, or deleted in the Azure portal. This article introduces the concepts behind activity log alerts. For more information on creating or usage of activity log alert rules, see [Create and manage activity log alerts](alerts-activity-log.md).
13
+
Activity log alerts allow you to be notified on events and operations that are logged in [Azure Activity Log](../essentials/activity-log.md). An alert is fired when a new [activity log event](../essentials/activity-log-schema.md) occurs that matches the conditions specified in the alert rule. Activity log alert rules are Azure resources, so they can be created by using an Azure Resource Manager template. They also can be created, updated, or deleted in the Azure portal. This article introduces the concepts behind activity log alerts. For more information on creating or usage of activity log alert rules, see [Create and manage activity log alerts](./alerts-activity-log.md).
14
+
15
+
## Alerting on activity log event categories
16
+
17
+
You can create activity log alert rules to receive notifications on one of the following activity log event categories :
18
+
19
+
***Administrative events** - get notified when a create, update, delete, or action operation occur on resources in your Azure subscription, resource group, or on a specific resource. For example, you might want to be notified when any virtual machine in myProductionResourceGroup is deleted. Or, you might want to be notified if any new roles are assigned to a user in your subscription.
20
+
***Service Health events** - get notified on Azure incidents, such as an outage or a maintenance event, occurred in a specific Azure region and may impact services in your subscription.
21
+
***Resource health events** - get notified when the health of a specific Azure resource you are using is degraded, or if the resource becomes unavailable.
22
+
***Autoscale events** - get notified when events related to the operation of the configured [autoscale operations](../autoscale/autoscale-overview.md) in your subscription. An example of an Autoscale event is Autoscale scale up action failed.
23
+
***Recommendation** - get notified when a new [Azure Advisor recommendation](../../advisor/advisor-overview.md) is available for your subscription.
24
+
***Security** - get notified on events generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.
25
+
***Policy** - get notified on effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny.
14
26
15
27
> [!NOTE]
16
-
> * Alerts **cannot** be created for events in Alert category of activity log.
17
-
> * Activity Log Alerts with the category of Security can be defined also in a [new upgraded flow](../../security-center/continuous-export.md?tabs=azure-portal) to [ServiceNow](../../security-center/export-to-siem.md)
28
+
> Alerts **cannot** be created for events in Alert category of activity log.
18
29
19
-
Typically, you create activity log alerts to receive notifications when:
20
30
21
-
* Specific operations occur on resources in your Azure subscription, often scoped to particular resource groups or resources. For example, you might want to be notified when any virtual machine in myProductionResourceGroup is deleted. Or, you might want to be notified if any new roles are assigned to a user in your subscription.
22
-
* A service health event occurs. Service health events include notification of incidents and maintenance events that apply to resources in your subscription.
31
+
## Configuring activity log alert rules
23
32
24
-
A simple analogy for understanding conditions on which alert rules can be created on activity log, is to explore or filter events via [Activity log in Azure portal](../essentials/activity-log.md#view-the-activity-log). In Azure Monitor - Activity log, one can filter or find necessary event and then create an alert by using the **Add activity log alert** button.
33
+
You can configure an activity log alert based on any top-level property in the JSON object for an activity log event. For more information, see [Categories in the Activity Log](../essentials/activity-log.md#view-the-activity-log).
25
34
26
-
In either case, an activity log alert monitors only for events in the subscription in which the alert is created.
35
+
An alternative simple way for creating conditions for activity log alerts is to explore or filter events via [Activity log in Azure portal](../essentials/activity-log.md#view-the-activity-log). In Azure Monitor - Activity log, one can filter and locate a required event and then create an alert to notify on similar by using the **New alert rule** button.
27
36
28
-
You can configure an activity log alert based on any top-level property in the JSON object for an activity log event. For more information, see [Categories in the Activity Log](../essentials/activity-log.md#view-the-activity-log). To learn more about service health events, see [Receive activity log alerts on service notifications](../../service-health/alerts-activity-log-service-notifications-portal.md).
37
+
> [!NOTE]
38
+
> An activity log alert rule monitors only for events in the subscription in which the alert rule is created.
29
39
30
-
Activity log alerts have a few common options:
40
+
Activity log events have a few common properties which can be used to define a the activity log alert rule condition:
31
41
32
-
-**Category**: Administrative, Service Health, Autoscale, Security, Policy, and Recommendation.
42
+
-**Category**: Administrative, Service Health, Resource Health, Autoscale, Security, Policy, or Recommendation.
33
43
-**Scope**: The individual resource or set of resource(s) for which the alert on activity log is defined. Scope for an activity log alert can be defined at various levels:
34
44
- Resource Level: For example, for a specific virtual machine
35
45
- Resource Group Level: For example, all virtual machines in a specific resource group
@@ -39,22 +49,32 @@ Activity log alerts have a few common options:
39
49
-**Operation name**: The [Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md) name utilized for Azure role-based access control . Operations not registered with Azure Resource Manager can not be used in an activity log alert rule.
40
50
-**Level**: The severity level of the event (Informational, Warning, Error, or Critical).
41
51
-**Status**: The status of the event, typically Started, Failed, or Succeeded.
42
-
-**Event initiated by**: Also known as the "caller." The email address or Azure Active Directory identifier of the user who performed the operation.
52
+
-**Event initiated by**: Also known as the "caller." The email address or Azure Active Directory identifier of the user (or application) who performed the operation.
43
53
44
-
> [!NOTE]
45
-
> In a subscription up to 100 alert rules can be created for an activity of scope at either: a single resource, all resources in resource group (or) entire subscription level.
54
+
In addition to these comment properties, different activity log events categories have categpry-specific properties that can be used to define an alert rule for events of this category. For example, when creating a service health alert rule you can configure a condition on the impacted region name or service name that appear in the event.
55
+
56
+
## Using action groups
46
57
47
-
When an activity log alert is activated, it uses an action group to generate actions or notifications. An action group is a reusable set of notification receivers, such as email addresses, webhook URLs, or SMS phone numbers. The receivers can be referenced from multiple alerts to centralize and group your notification channels. When you define your activity log alert, you have two options. You can:
58
+
When an activity log alert is fired, it uses an action group to generate actions or notifications. An action group is a reusable set of notification receivers, such as email addresses, webhook URLs, or SMS phone numbers. The receivers can be referenced from multiple alerts to centralize and group your notification channels. When you define your activity log alert rule, you have two options. You can:
48
59
49
-
* Use an existing action group in your activity log alert.
60
+
* Use an existing action group in your activity log alert rule.
50
61
* Create a new action group.
51
62
52
63
To learn more about action groups, see [Create and manage action groups in the Azure portal](./action-groups.md).
53
64
65
+
## Activity log alert rules limit
66
+
You can create up to 100 active activity log alert rules per subscription (including alert rules all activity log categories, such as resource health or service health ). This limit can't be increased.
67
+
If you are reaching near this limit, there are several guidelines you can follow to optimize the use of activity log alerts rules so that you can cover more resources and events with the same number of rules:
68
+
* A single activity log alert rule can be configured to cover the scope of a single resource, a resource group, or an entire subscription. To reduce the number of rules you're using, consider to replace multiple rules covering a narrow scope with a single rule covering a broad scope. For example, if you have multiple VMs in a subscription, and you want an alert to be triggered whenever one of them is restarted, you can use a single activity log alert rule to cover all the VMs in your subscription. The alert will be triggered whenever any VM in the subscription is restarted.
69
+
* A single service health alert rule can cover all the services and Azure regions used by your subscription. If you're using multiple service health alert rules per subscription, you can replace them with a single rule (or with a small number of rules, if you prefer).
70
+
* A single resource health alert rule can cover multiple resource types and resources in your subscription. If you're using multiple resource health alert rules per subscription, you can replace them with a smaller number of rules (or even a single rule) that covers multiple resource types.
71
+
54
72
55
73
## Next steps
56
74
57
75
- Get an [overview of alerts](./alerts-overview.md).
58
76
- Learn about [create and modify activity log alerts](alerts-activity-log.md).
59
77
- Review the [activity log alert webhook schema](../alerts/activity-log-alerts-webhook.md).
60
-
- Learn about [service health notifications](../../service-health/service-notifications.md).
78
+
- Learn more about [service health alerts](../../service-health/service-notifications.md).
79
+
- Learn more about [Resource health alerts](../../service-health/resource-health-alert-monitor-guide.md).
80
+
- Learn more about [Recommendation alerts](../../advisor/advisor-alerts-portal.md).
0 commit comments