Merge pull request #239971 from Saglodha/patch-8

Update monitor-event-hubs-reference.md

Author: PMEds28

articles/event-hubs/media/monitor-event-hubs-reference/destination-table-toggle.png

@@ -80,7 +80,13 @@ Azure Event Hubs supports the following dimensions for metrics in Azure Monitor.
 | ------------------- | ----------------- |
 |Entity Name| Name of the event hub. With the 'Incoming Requests' metric, the Entity Name dimension has a value of '-NamespaceOnlyMetric-' in addition to all your event hubs. It represents the requests that were made at the namespace level. Examples include a  request to list all event hubs in the namespace or requests to entities that failed authentication or authorization.|
 
+
 ## Resource logs
+
+Azure Event Hubs now has the capability to dispatch logs to either of two destination tables - Azure Diagnostic or [Resource specific tables](~/articles/azure-monitor/essentials/resource-logs.md) in Log Analytics. You could use the toggle available on Azure portal to choose destination tables. 
+
+:::image type="content" source="media/monitor-event-hubs-reference/destination-table-toggle.png" alt-text="Screenshot of dialog box to set destination table." lightbox="media/monitor-event-hubs-reference/destination-table-toggle.png":::
+
 [!INCLUDE [event-hubs-diagnostic-log-schema](./includes/event-hubs-diagnostic-log-schema.md)]
 
 
@@ -92,24 +98,31 @@ Runtime audit logs capture aggregated diagnostic information for all data plane
 
 Runtime audit logs include the elements listed in the following table:
 
-Name | Description
-------- | -------
-`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity. 
-`ActivityName` | Runtime operation name.  
-`ResourceId` | Resource associated with the activity. 
-`Timestamp` | Aggregation time.
-`Status` | Status of the activity (success or failure).
-`Protocol` | Type of the protocol associated with the operation.
-`AuthType` | Type of authentication (Microsoft Entra ID or SAS Policy).
-`AuthKey` | Microsoft Entra application ID or SAS policy name that's used to authenticate to a resource.
-`NetworkType` | Type of the network access: `Public` or `Private`.
-`ClientIP` | IP address of the client application.
-`Count` | Total number of operations performed during the aggregated period of 1 minute. 
-`Properties` | Metadata that are specific to the data plane operation. 
-`Category` | Log category
+
+Name | Description | Supported in Azure Diagnostics | Supported in Resource Specific table
+------- | -------| -----| -----|
+`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity. | Yes | Yes 
+`ActivityName` | Runtime operation name.| Yes | Yes 
+`ResourceId` | Resource associated with the activity. | Yes | Yes
+`Timestamp` | Aggregation time. | Yes | No
+ `TimeGenerated [UTC]`|Time of executed operation (in UTC)| No | Yes
+`Status` | Status of the activity (success or failure). | Yes | Yes 
+`Protocol` | Type of the protocol associated with the operation. | Yes | Yes 
+`AuthType` | Type of authentication (Azure Active Directory or SAS Policy). | Yes | Yes 
+`AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource. | Yes | Yes 
+`NetworkType` | Type of the network access: `Public` or `Private`. | Yes | Yes
+`ClientIP` | IP address of the client application. | Yes | Yes 
+`Count` | Total number of operations performed during the aggregated period of 1 minute. | Yes | Yes 
+`Properties` | Metadata that are specific to the data plane operation. | Yes | Yes 
+`Category` | Log category | Yes | NO
+ `Provider`|Name of Service emitting the logs e.g., Eventhub | No | Yes 
+ `Type`  | Type of logs emitted | No | Yes
+
+
 
 Here's an example of a runtime audit log entry:
 
+AzureDiagnostics :
 ```json
 {
     "ActivityId": "<activity id>",
@@ -126,6 +139,25 @@ Here's an example of a runtime audit log entry:
     "Category": "RuntimeAuditLogs"
  }
 
+```
+Resource specific table entry:
+```json 
+{
+    "ActivityId": "<activity id>",
+    "ActivityName": "ConnectionOpen | Authorization | SendMessage | ReceiveMessage",
+    "ResourceId": "/SUBSCRIPTIONS/xxx/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Event Hubs namespace>/eventhubs/<event hub name>",
+    "TimeGenerated (UTC)": "1/1/2021 8:40:06 PM +00:00",
+    "Status": "Success | Failure",
+    "Protocol": "AMQP | KAFKA | HTTP | Web Sockets", 
+    "AuthType": "SAS | Azure Active Directory", 
+    "AuthId": "<AAD application name | SAS policy name>",
+    "NetworkType": "Public | Private", 
+    "ClientIp": "x.x.x.x",
+    "Count": 1,
+    "Type": "AZMSRuntimeAUditLogs",
+    "Provider":"EVENTHUB"
+ }
+
 ```
 
 ## Application metrics logs
@@ -148,10 +180,11 @@ Name | Description
 `OffsetFetch` | Number of offset fetch calls made to the event hub.
 
 
-
 ## Azure Monitor Logs tables
 Azure Event Hubs uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables the service uses, see [Azure Monitor Logs table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#event-hubs).
 
+You can view our sample queries to get started with different log categories. 
+
 > [!IMPORTANT]
 > Dimensions aren't exported to a Log Analytics workspace.