Merge pull request #186965 from kasun04/master

Court72 · web-flow · commit f10e8eecfd60 · 2022-02-01T08:59:45.000-07:00
Add Service Bus Runtime Audit Logs
diff --git a/articles/event-hubs/monitor-event-hubs-reference.md b/articles/event-hubs/monitor-event-hubs-reference.md
@@ -80,7 +80,7 @@ Azure Event Hubs supports the following dimensions for metrics in Azure Monitor.
 [!INCLUDE [event-hubs-diagnostic-log-schema](./includes/event-hubs-diagnostic-log-schema.md)]
 
 
-## Runtime audit Logs
+## Runtime audit logs
 Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in the Event Hubs dedicated cluster. 
 
 > [!NOTE] 
@@ -98,7 +98,7 @@ Name | Description
 `Protocol` | Type of the protocol associated with the operation.
 `AuthType` | Type of authentication (Azure Active Directory or SAS Policy).
 `AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource.
-`NetworkType` | Type of the network access: `PublicNetworkAccess`, `PrivateNetworkAccess`.
+`NetworkType` | Type of the network access: `Public` or `Private`.
 `ClientIP` | IP address of the client application.
 `Count` | Total number of operations performed during the aggregated period of 1 minute. 
 `Properties` | Metadata that are specific to the data plane operation. 
@@ -109,20 +109,16 @@ Here's an example of a runtime audit log entry:
 ```json
 {
     "ActivityId": "<activity id>",
-    "ActivityName": "ConnectionOpen | Authenticate | SendMessage | ReceiveMessage | GetRuntimeInfo",
+    "ActivityName": "ConnectionOpen | Authorization | SendMessage | ReceiveMessage",
     "ResourceId": "/SUBSCRIPTIONS/xxx/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Event Hubs namespace>/eventhubs/<event hub name>",
     "Time": "1/1/2021 8:40:06 PM +00:00",
     "Status": "Success | Failure",
     "Protocol": "AMQP | KAFKA | HTTP | Web Sockets", 
     "AuthType": "SAS | Azure Active Directory", 
-    "AuthId": "<app name | SAS policy name>",
-    "NetworkType": "PublicNetworkAccess | PrivateNetworkAccess", 
+    "AuthId": "<AAD application name | SAS policy name>",
+    "NetworkType": "Public | Private", 
     "ClientIp": "x.x.x.x",
     "Count": 1,
-    "Properties": {
-        "key1": "value1",
-        "key2": "value2"
-    }, 
     "Category": "RuntimeAuditLogs"
  }
 
diff --git a/articles/service-bus-messaging/monitor-service-bus-reference.md b/articles/service-bus-messaging/monitor-service-bus-reference.md
@@ -141,6 +141,51 @@ The following management operations are captured in operational logs:
 > [!NOTE]
 > Currently, *Read* operations aren't tracked in the operational logs.
 
+
+## Runtime audit logs
+Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive messages) in Service Bus.  
+
+> [!NOTE] 
+> Runtime audit logs are currently available only in the **premium** tier.  
+
+Runtime audit logs include the elements listed in the following table:
+
+Name | Description
+------- | -------
+`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity. 
+`ActivityName` | Runtime operation name.  
+`ResourceId` | Resource associated with the activity. 
+`Timestamp` | Aggregation time.
+`Status` | Status of the activity (success or failure).
+`Protocol` | Type of the protocol associated with the operation.
+`AuthType` | Type of authentication (Azure Active Directory or SAS Policy).
+`AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource.
+`NetworkType` | Type of the network access: `Public` or`Private`.
+`ClientIP` | IP address of the client application.
+`Count` | Total number of operations performed during the aggregated period of 1 minute. 
+`Properties` | Metadata that are specific to the data plane operation. 
+`Category` | Log category
+
+Here's an example of a runtime audit log entry:
+
+```json
+{
+    "ActivityId": "<activity id>",
+    "ActivityName": "ConnectionOpen | Authorization | SendMessage | ReceiveMessage",
+    "ResourceId": "/SUBSCRIPTIONS/xxx/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<Service Bus namespace>/servicebus/<service bus name>",
+    "Time": "1/1/2021 8:40:06 PM +00:00",
+    "Status": "Success | Failure",
+    "Protocol": "AMQP | HTTP | SBMP", 
+    "AuthType": "SAS | AAD", 
+    "AuthId": "<AAD Application Name| SAS policy name>",
+    "NetworkType": "Public | Private", 
+    "ClientIp": "x.x.x.x",
+    "Count": 1, 
+    "Category": "RuntimeAuditLogs"
+ }
+
+```
+
 ## Azure Monitor Logs tables
 Azure Service Bus uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables the service uses, see [Azure Monitor Logs table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#service-bus).
 
diff --git a/articles/service-bus-messaging/monitor-service-bus.md b/articles/service-bus-messaging/monitor-service-bus.md
@@ -128,6 +128,15 @@ Following are sample queries that you can use to help you monitor your Azure Ser
     | where Category == "OperationalLogs"
     | summarize count() by EventName_s, _ResourceId
     ```
++ Get runtime audit logs generated in the last one hour. 
+
+    ```Kusto
+    AzureDiagnostics
+    | where TimeGenerated > ago(1h)
+    | where ResourceProvider =="MICROSOFT.SERVICEBUS"
+    | where Category == "RuntimeAuditLogs"    
+    ```
+
 
 + Get access attempts to a key vault that resulted in "key not found" error.
 
