You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/platform/activity-log-collect.md
+26-38Lines changed: 26 additions & 38 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ ms.subservice: logs
5
5
ms.topic: conceptual
6
6
author: bwren
7
7
ms.author: bwren
8
-
ms.date: 03/20/2020
8
+
ms.date: 03/24/2020
9
9
10
10
---
11
11
@@ -14,7 +14,7 @@ The [Azure Activity log](platform-logs-overview.md) is a [platform log](platform
14
14
15
15
Collecting the Activity Log in a Log Analytics workspace provides the following advantages:
16
16
17
-
- No charge for space Activity log data stored in a Log Analytics workspace.
17
+
- No data ingestion or data retention charge for Activity log data stored in a Log Analytics workspace.
18
18
- Correlate Activity log data with other monitoring data collected by Azure Monitor.
19
19
- Use [log queries](../log-query/log-query-overview.md) to perform complex analysis and gain deep insights on Activity Log entries.
20
20
- Store Activity log entries for longer than 90 days.
@@ -23,17 +23,19 @@ Collecting the Activity Log in a Log Analytics workspace provides the following
23
23
24
24
25
25
## Collecting Activity log
26
-
The Activity log is collected automatically for [viewing in the Azure portal](activity-log-view.md). To send it to other destinations, create a [diagnostic setting](diagnostic-settings.md), which is the same method used by resource logs.
26
+
The Activity log is collected automatically for [viewing in the Azure portal](activity-log-view.md). To collect it in a Log Analytics workspace or to send it Azure storage or event hubs, create a [diagnostic setting](diagnostic-settings.md). This is the same method used by resource logs making it consistent for all [platform logs](platform-logs-overview.md).
27
27
28
-
To create a diagnostic setting for the Activity log, select **Diagnostic settings** from the **Activity log** menu in Azure Monitor. See [Create diagnostic setting to collect platform logs and metrics in Azure](diagnostic-settings.md) for details on creating the setting. See [Categories in the Activity log](activity-log-view.md#categories-in-the-activity-log) for a description of the categories you can filter in the setting. If you have any legacy settings, make sure you disable them before creating a diagnostic setting. Having both enabled may result in duplicate data.
28
+
To create a diagnostic setting for the Activity log, select **Diagnostic settings** from the **Activity log** menu in Azure Monitor. See [Create diagnostic setting to collect platform logs and metrics in Azure](diagnostic-settings.md) for details on creating the setting. See [Categories in the Activity log](activity-log-view.md#categories-in-the-activity-log) for a description of the categories you can filter. If you have any legacy settings, make sure you disable them before creating a diagnostic setting. Having both enabled may result in duplicate data.
> Currently, you can only create a subscription level diagnostic setting using the Azure portal. To use other methods such as PowerShell or CLI, you can create a Resource Manager template.
33
35
34
36
35
37
## Legacy settings
36
-
While diagnostic settings are the preferred method to send the Activity log to different destinations, legacy methods are still available and will continue to work if you don't choose to replace with a diagnostic setting. Diagnostic settings have the following advantages over the previous methods, and it's recommended that you change any legacy configuration to this new strategy:
38
+
While diagnostic settings are the preferred method to send the Activity log to different destinations, legacy methods will continue to work if you don't choose to replace with a diagnostic setting. Diagnostic settings have the following advantages over legacy methods, and it's recommended that you update your configuration:
37
39
38
40
- Consistent method for collecting all platform logs.
39
41
- Collect Activity log across multiple subscriptions and tenants.
@@ -55,7 +57,7 @@ Log profiles are the legacy method for sending the Activity log to Azure storage
### Disable collection into Log Analytics workspace
72
-
73
-
1. Open the **Log Analytics workspaces** menu in the Azure portal and select the workspace to collect the Activity Log.
74
-
2. In the **Workspace Data Sources** section of the workspace's menu, select **Azure Activity log**.
75
-
3. Click the subscription you want to disconnect.
76
-
4. Click **Disconnect** and then **Yes** when asked to confirm your choice.
77
-
78
-
79
-
### Analysis of Activity log
80
-
You can [view the Activity log in the Azure portal](activity-log-view.md) without any configuration. When you configure it to be collected into a Log Analytics workspace,
81
-
82
-
What is changing is analysis of Activity log entries in a Log Analytics workspace. Activity log events are still sent to the *AzureActivity* table, and the same log queries can be used to analyze them. The Activity Logs Analytics monitoring solution is being deprecated along with the deprecation of Azure Monitor views. A new Azure Monitor workbook will be provided in the near future providing queries and visualizations for gaining insights into the Activity log.
83
-
73
+
To disable the setting, perform the same procedure and click **Disconnect** to remove the subscription from the workspace.
84
74
85
75
86
76
## Analyze Activity log in Log Analytics workspace
87
-
When you connect an Activity Log to a Log Analytics workspace, entries will be written to the workspace into a table called **AzureActivity** that you can retrieve with a [log query](../log-query/log-query-overview.md). The structure of this table varies depending on the [category of log entry](activity-log-view.md#categories-in-the-activity-log). See [Azure Activity Log event schema](activity-log-schema.md) for a description of each category.
77
+
When you connect an Activity Log to a Log Analytics workspace, entries will be written to the workspace into a table called *AzureActivity* that you can retrieve with a [log query](../log-query/log-query-overview.md). The structure of this table varies depending on the [category of the log entry](activity-log-view.md#categories-in-the-activity-log). See [Azure Activity Log event schema](activity-log-schema.md) for a description of each category.
88
78
89
79
90
-
### Differences in data
80
+
### Data structure changes
91
81
Diagnostic settings collect the same data as the legacy method used to collect the Activity log with some changes to the structure of the *AzureActivity* table.
92
82
93
-
The columns in the following table have been deprecated. They still exist in *AzureActivity* but they will have no data. The replacement for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so you may need to modify log queries that use them.
83
+
The columns in the following table have been deprecated in the updated schema. They still exist in *AzureActivity* but they will have no data. The replacement for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so you may need to modify log queries that use them.
94
84
95
85
| Deprecated column | Replacement column |
96
86
|:---|:---|
@@ -99,7 +89,7 @@ The columns in the following table have been deprecated. They still exist in *Az
99
89
| OperationName | OperationNameValue |
100
90
| ResourceProvider | ResourceProviderValue |
101
91
102
-
The following column have been added to *AzureActivity*:
92
+
The following column have been added to *AzureActivity* in the updated schema:
103
93
104
94
- Authorization_d
105
95
- Claims_d
@@ -108,15 +98,24 @@ The following column have been added to *AzureActivity*:
108
98
> [!IMPORTANT]
109
99
> In some cases, the values in these columns may be in all uppercase. If you have a query that includes these columns, you should use the [=~ operator](https://docs.microsoft.com/azure/kusto/query/datatypes-string-operators) to do a case insensitive comparison.
110
100
111
-
### Query sample
101
+
102
+
### Query samples
103
+
Following are sample queries retrieving Activity log data using log queries.
104
+
105
+
### List all records for starting virtual machines
106
+
107
+
```Kusto
108
+
AzureActivity
109
+
| where TimeGenerated > ago(7d)
110
+
| where ResourceProviderValue == "MICROSOFT.COMPUTE"
111
+
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/START/ACTION"
112
+
```
112
113
113
114
114
115
115
116
## Activity Logs Analytics monitoring solution
116
-
The Azure Log Analytics monitoring solution is currently being deprecated but can still be used if you already have it enabled. It cannot be used if you collect the Activity log using a diagnostic setting as described above. The option to enable the solution for a new subscription has been removed from the Azure portal, but you can enable it using the template and procedure in [Enable solution for new subscription](#enable-solution-for-new-subscription).
117
+
The Azure Log Analytics monitoring solution is currently being deprecated and will soon be replaced by a workbook using the updated schema in the Log Analytics workspace. You can still use the solution if you already have it enabled, but it can only be used if you're collecting the Activity log using legacy settings.
117
118
118
-
> [!IMPORTANT]
119
-
> The Activity Logs Analytics monitoring solution is not supported if you're collecting the Activity log using a diagnostic setting. You must continue to connect your subscription to a workspace to use the solution.
120
119
121
120
122
121
### Use the solution
@@ -225,14 +224,3 @@ You can no longer add a new subscription to the Activity Logs Analytics solution
225
224
- Learn more about the [Activity Log](platform-logs-overview.md).
226
225
- Learn more about the [Azure Monitor data platform](data-platform.md).
227
226
- Use [log queries](../log-query/log-query-overview.md) to view detailed information from your Activity Log.
228
-
229
-
230
-
231
-
232
-
### Considerations
233
-
Consider the following details of Activity log collection using diagnostic settings before enabling this feature.
234
-
235
-
- The retention setting for collecting the Activity log to Azure storage has been removed meaning that data will be stored indefinitely until you remove it.
0 commit comments