Add Runtime audit logs

Author: kasun04

articles/event-hubs/monitor-event-hubs-reference.md

@@ -79,6 +79,64 @@ Azure Event Hubs supports the following dimensions for metrics in Azure Monitor.
 [!INCLUDE [event-hubs-diagnostic-log-schema](./includes/event-hubs-diagnostic-log-schema.md)]
 
 
+## Runtime Audit Logs
+Runtime Audit Logs captures aggregated diagnostic logs for all data plane access operations (such as send or receive events) in Dedicated SKU. 
+
+> [!NOTE]
+> Runtime audit logs are currently available in *Dedicated* tier only.  
+
+Runtime Audit Logs include the elements listed in the following table:
+Name | Description
+------- | -------
+`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity. 
+`ActivityName` | Runtime operation name.  
+`ResourceId` | Resource associated with the activity. 
+`Timestamp` | Aggregation time.
+`Status` | Status of the activity (success or failure).
+`Protocol` | Type of the protocol associated with the operation.
+`AuthType` | Type of authentication (AAD or SAS Policy).
+`AuthKey` | AAD application Id or SAS policy name which is used to authenticate to a resource.
+`NetworkType` | Type of the network: PublicNetworkAccess, PrivateNetworkAccess.
+`ClientIP` | IP address of client application.
+`Count` | Total number of operations performed during the aggregated period of 1 minute. 
+`Properties` | Metadata that are specific to the data plane operation. 
+`Category` | Log category
+
+The following code is an example of a runtime audit log JSON string:
+
+```json
+Example:
+{
+    "ActivityId": "<activity id>",
+    "ActivityName": "ConnectionOpen | Authenticate | SendMessage | ReceiveMessage | GetRuntimeInfo",
+    "ResourceId": "/SUBSCRIPTIONS/xxx/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Event Hubs namespace>/eventhubs/<event hub name>",
+    "Time": "1/1/2021 8:40:06 PM +00:00",
+    "Status": "Success | Failure",
+    "Protocol": "AMQP | KAFKA | HTTP | Web Sockets", 
+    "AuthType": "SAS | AAD", 
+    "AuthId": "<app name | SAS policy name>",
+    "NetworkType": "PublicNetworkAccess | PrivateNetworkAccess", 
+    "ClientIp": "x.x.x.x",
+    "Count": 1,
+    "Properties": {
+        "key1": "value1",
+        "key2": "value2"
+    }, 
+    "Category": "RuntimeAuditLogs"
+ }
+
+```
+
+## Application Metrics Logs
+Application Metrics Logs captures the aggregated information on certain metrics related data plane operations. This includes following runtime metrics. 
+
+Name | Description
+------- | -------
+ConsumerLag | Indicate the lag between the consumers and producers. 
+NamespaceActiveConnections | Details of the active connections established from a client to Event Hub. 
+GetRuntimeInfo | Obtain run time information from Event Hubs. 
+GetPartitionRuntimeInfo | Obtain the approximate runtime information for a logical partition of an Event Hub. 
+
 
 ## Azure Monitor Logs tables
 Azure Event Hubs uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables the service uses, see [Azure Monitor Logs table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#event-hubs).

articles/event-hubs/monitor-event-hubs.md

@@ -89,8 +89,17 @@ Following are sample queries that you can use to help you monitor your Azure Eve
     | where ResourceProvider =="MICROSOFT.EVENTHUB"
     | where Category == "OperationalLogs"
     | summarize count() by "EventName"
+
++ Get runtime audit logs during last hour. 
+
+    ```Kusto
+    AzureDiagnostics
+    | where TimeGenerated > ago(1h)
+    | where ResourceProvider =="MICROSOFT.EVENTHUB"
+    | where Category == "RuntimeAuditLogs"    
     ```
 
+
 + Get access attempts to a key vault that resulted in "key not found" error.
 
     ```Kusto