Acquaint yourself with the relevant information about Azure Activity Log Filters

Activity log filters in Azure help you narrow down and analyze specific events captured in the Azure Activity Log. Here's what you need to know about using activity log filters effectively:

Purpose of Filters

Filters allow you to focus on specific events of interest within the activity log, such as actions performed on a resource, by a specific user, or during a particular time.

They make it easier to investigate issues, track changes, and monitor compliance.

Available Filters

Azure Activity Log provides the following filters:

1. Time Range: Specify the start and end dates for the events you want to examine. Example: Look at logs from the past week to investigate recent changes.

2. Subscription: Select the Azure subscription for which you want to view activity logs. If you manage multiple subscriptions, filtering by subscription simplifies log analysis.

3. Resource Group: Focus on events related to a specific resource group. Example: Investigate changes in the "Production-RG" resource group.

4. Resource Type: Filter logs based on the type of resource, such as virtual machines, storage accounts, or databases. Useful for analyzing operations on specific resource categories.

5. Resource: Narrow down events to a single resource within a resource group or subscription. Example: View all operations on a specific virtual machine.

6. Event Categories: Define the type of events to display:

   • Administrative: Management operations like creating or deleting resources.

   • Service Health: Azure service-related events, like outages.

   • Policy: Logs related to Azure Policy compliance evaluations.

   • Security: Security-related actions, such as role assignments.

7. Status: Filter logs based on the outcome of operations:

   • Succeeded: Successfully completed operations.

   • Failed: Operations that encountered errors.

   • In Progress: Ongoing operations.

8. Event Initiated By (Caller): Focus on actions performed by a specific user or service principal. Example: Investigate changes made by "admin@example.com."

9. Operation Name: Specify a particular action or operation type, such as Create Resource, Delete Resource, or Update Resource Group Tags.

10. Location: Filter events by the Azure region where the operation occurred. Example: View all events in the "East US" region.

How to Use Filters in the Azure Portal

1. Navigate to Monitor > Activity Log in the Azure Portal.

2. Use the filtering options at the top of the Activity Log page.

3. Select one or more filter criteria to refine the displayed results.

4. Apply the filters to see only the relevant events.

Use Cases for Filters

1. Troubleshooting:

   • Filter by Status = Failed to identify errors in resource deployment or updates.

   • Filter by Resource Type = Virtual Machines to investigate issues with VMs.

2. Auditing:

   • Filter by Event Categories = Administrative and Caller = specific user to track actions performed by a user.

3. Monitoring Policy Compliance:

   • Filter by Event Categories = Policy to view policy evaluation results.

4. Change Management:

   • Filter by Operation Name = Delete Resource to track deleted resources.

   • Filter by Resource Group = DevOps-RG to monitor changes in a development environment.

5. Performance Analysis:

   • Filter by Service Health to review Azure service issues affecting your resources.

Advanced Filtering Options

1. Combine Filters: Use multiple filters together (e.g., Resource Group + Status + Caller) for detailed event analysis.

2. Query-Based Filtering (Log Analytics): Export activity logs to a Log Analytics workspace and use KQL (Kusto Query Language) for advanced filtering and analysis.

Example Query:

xxxxxxxxxx
3
1
AzureActivity
2
| where Caller == "admin@example.com" and ResourceGroup == "Production-RG"
3
| order by TimeGenerated desc

Exporting Filtered Logs

If you want to save or analyze filtered logs:

1. Export to Log Analytics: Use diagnostic settings to send logs to a Log Analytics workspace for querying and retention.

2. Export to Storage: Archive logs for compliance or historical analysis.

3. Export to Event Hubs: Stream logs to external systems for real-time monitoring.

Best Practices for Using Filters

1. Start Broad, Then Narrow Down: Begin with broader filters like Subscription or Resource Group, then refine further with Resource or Operation Name.

2. Save Time with Saved Queries: Save commonly used filters or queries for quick access in future investigations.

3. Automate Alerts: Use filters as the basis for activity log alerts. For example, alert when a Delete Resource operation occurs in a production resource group.

4. Combine with Metrics: Cross-reference filtered logs with metrics to get a complete picture of resource performance and usage.

Limitations

1. No Data-Plane Events: Activity logs do not capture data-plane operations (e.g., file uploads to a storage account).

2. Retention: Logs are only retained for 90 days by default unless exported.

Getting Started

1. Go to Azure Monitor > Activity Log.

2. Select relevant filters (e.g., Event Categories and Operation Name).

3. Apply the filters and analyze the results.

4. Export logs for further analysis or set up alerts based on your filters.

Summary

By effectively leveraging activity log filters, you can quickly identify and analyze events that matter most, saving time and improving operational efficiency.