Learn how to use the Azure Activity Log

Using the Azure Activity Log effectively involves accessing, filtering, analyzing, and exporting the data to meet your monitoring and auditing needs. Here’s a step-by-step guide:

Access the Activity Log

1. Azure Portal:

   • Navigate to the Azure Portal.

   • Open the Monitor service from the left-hand menu or search for "Monitor" in the search bar.

   • Select Activity Log under the Monitoring section.

2. Azure CLI:

   • Use the az monitor activity-log commands to fetch and filter logs.

xxxxxxxxxx
3
1
az monitor activity-log list \
2
--start-time "2024-01-01T00:00:00Z" \
3
--end-time "2024-01-02T00:00:00Z"

3. Azure PowerShell:

   • Use the Get-AzLog cmdlet to retrieve activity log data.

xxxxxxxxxx
3
1
Get-AzLog `
2
-StartTime (Get-Date).AddDays(-1) `
3
-EndTime (Get-Date)

4. Azure REST API:

   • Fetch activity logs programmatically via the Azure Monitor REST API.

Filter and Search Logs

In the Azure Portal,

Use filters at the top of the Activity Log page to narrow down results by:

1. Subscription: Select the Azure subscription you want to analyze.

2. Resource Group: Focus on logs for a specific resource group.

3. Event Category: Choose categories like Administrative, Policy, or Security.

4. Date Range: Specify the time period for logs.

5. Resource Type: Filter by resource type (e.g., Virtual Machines, Storage Accounts).

6. Operation Name: Search for specific actions (e.g., Create, Delete).

7. Status: Filter events by success or failure.

Analyze Logs

1. View Log Details: Click on any event in the Activity Log to see detailed information, including:

   • Operation Name: Action performed (e.g., resource deletion).

   • Caller: The user or service principal who performed the action.

   • Timestamp: When the action occurred.

   • Status: Success or failure.

2. Root Cause Analysis: Use logs to investigate issues like unexpected resource deletions or failures in deployment.

3. Compliance Checks: Review policy compliance or identify unauthorized changes.

Create Alerts for Activity Logs

Set up alerts to notify you of critical actions, such as resource deletions or role assignments.

1. Go to Monitor > Alerts > New Alert Rule.

2. Define the scope by selecting a subscription or resource group.

3. Choose Activity Log as the signal type.

4. Set conditions (e.g., when an operation equals "Delete").

5. Define actions (e.g., send an email or invoke an Azure Function).

6. Save and enable the alert rule.

Export Activity Logs

For long-term storage or integration with other systems:

1. Export to Log Analytics:

   • Navigate to the resource or subscription you want to monitor.

   • Go to Diagnostic Settings.

   • Add a new setting and select Send to Log Analytics.

   • Use KQL (Kusto Query Language) to query logs in Log Analytics.

2. Export to Event Hubs:

   • Stream logs to external systems or third-party tools for real-time processing.

3. Export to Storage Accounts:

   • Archive logs for long-term retention and compliance.

Use Advanced Tools

1. Log Analytics:

   • Query logs stored in Log Analytics using KQL for deeper insights.

xxxxxxxxxx
2
1
AzureActivity
2
| where OperationNameValue == "Microsoft.Resources/subscriptions/resourceGroups/delete"

2. Workbooks:

   • Build custom visualizations and reports for activity log data.

3. Azure Sentinel:

   • Ingest activity logs into Sentinel for security and threat analysis.

4. Power BI:

   • Export logs and visualize them for presentations and trend analysis.

Common Use Cases

1. Track Resource Changes: Identify who created, deleted, or modified resources.

2. Audit and Compliance: Ensure all actions align with governance policies.

3. Troubleshoot Issues: Investigate failed deployments or unauthorized actions.

4. Monitor Security: Detect suspicious or anomalous administrative actions.

5. Set Alerts: Proactively respond to critical events.

Best Practices

1. Regular Monitoring: Review logs periodically to ensure normal operations.

2. Set Alerts for Key Events: Focus on high-priority events like policy violations or resource deletions.

3. Export for Retention: Use export options for retaining logs beyond the default 90-day limit.

4. Use Dimensions for Filtering: Leverage filters like Resource Type or Operation Name for targeted queries.

5. Integrate with Security Tools: Feed activity logs into Azure Sentinel or third-party SIEM systems for advanced threat detection.

Troubleshooting Tips

1. Missing Logs: Ensure the diagnostic settings are configured properly for the resources in question.

2. High Costs: Optimize log exports to avoid unnecessary data ingestion.

3. Complex Queries: Use KQL samples from Microsoft documentation as a starting point for advanced log analysis.

Getting Started

1. Open Monitor > Activity Log in the Azure Portal.

2. Explore the built-in filtering options.

3. Set up alerts or diagnostic settings to automate monitoring and export.

4. Integrate with tools like Log Analytics, Sentinel, or Power BI for deeper insights.

Summary

Azure Activity Logs are invaluable for maintaining visibility and control over your Azure resources, helping you ensure compliance, detect issues, and maintain operational excellence.