How to send Azure’s activity logs to Log Analytics Workspace?

The Activity log is a platform log in Azure that provides insight into subscription-level events. It provides insight into the operations on each Azure resource in the subscription. Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. You can view the Activity log in the Azure portal or retrieve entries via PowerShell and CLI.

In this blog I’ll show how easy it is to forward your activity logs to different destinations for future analysis.

View the Activity log from Azure Portal

Go to Monitor >> Activity log

View change history

You can also access the Activity log events using

• Get-AzLog cmdlet — PowerShell
• az monitor activity-log — Azure CLI
• Azure Monitor REST API — REST Client

Send Activity logs to Log Analytics Workspace

Sending the Activity logs to Log Analytics Workspaces provides the following benefits

• Consolidate log entries from multiple Azure subscriptions and tenants.
• Use log queries to perform complex analysis and gain deep insights.
• Use log alerts with Activity entries allowing for more complex alerting logic.
• Store Activity log entries for longer than 90 days.
• No data ingestion charges for Activity log data stored in a Log Analytics workspace.
• No data retention charges till 90 days for Activity log stored in a Log Analytics workspace.

From your Azure Portal click on Subscriptions and select your subscription, click on Activity log

Click on Diagnostics settings

Click on Add Diagnostic settings

Give a friendly name

Select the Category details. In my case I’m selecting Administrative but your choice may vary depending on your needs.

Activity log data in a Log Analytics workspace is stored in a table called AzureActivity that you can retrieve with a log query in Log Analytics. The structure of this table varies depending on the category of the log entry. For a description of the table properties, see the Azure Monitor data reference.

For example, to view a count of Activity log records for each category, use the following Kusto query.

AzureActivity | summarize count() by CategoryValue

To retrieve all records in the administrative category

AzureActivity | where CategoryValue == "Administrative"

Now go back to Azure Monitor section.

Click on Logs. Type AzureActivity and you should see all activity log entries. You can customize the Time range, Display time etc. From here you can also create a New alert rule to get notifications.

Although this blog focused on sending activity logs to Log Analytics workspaces, you can also redirect the logs to Event hubs or Azure Storage accounts.

References:

• Sending logs and metrics to Azure Event Hubs
• Sending activity logs to Azure storage account
• Activity log event categories