This Blog will give information about creating and configuring diagnostic settings to send Azure platform metrics and logs to different destinations.

Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on.

  • Resource logs aren’t collected until they’re routed to a destination.
  • Activity logs exist on their own but can be routed to other locations.

Each Azure resource requires its own diagnostic setting, which defines the following criteria:

  • Sources: The type of metric and log data to send to the destinations defined in the setting. The available types vary by resource type.
  • Destinations: One or more destinations to send to.

Note:

  • send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), create multiple settings.
  • Each resource can have up to five diagnostic settings.

Sources for diagnostic

There are three sources for diagnostic information:

  • Metrics
  • Resource logs
  • Activity logs

Metrics

The AllMetrics setting routes a resource’s platform metrics to other destinations. This option might not be present for all resource providers.

Resource logs

With logs, you can select the log categories you want to route individually or choose a category group.

You can use category groups to dynamically collect resource logs based on predefined groupings instead of selecting individual log categories. 

  • All: Every resource log offered by the resource.
  • Audit: All resource logs that record customer interactions with data or the settings of the service.

Note :

  • The “Audit” category is a subset of “All”, but the Azure portal and REST API consider them separate settings. Selecting “All” does collect all audit logs regardless of if the “Audit” category is also selected.
  • Enabling Audit for Azure SQL Database does not enable auditing for Azure SQL Database. To enable database auditing, you have to enable it from the auditing blade for Azure Database

Destinations to send logs

Platform logs and metrics can be sent to the destinations listed in the following table.

  1. Log Analytics workspace – Metrics are converted to log form. This option might not be available for all resource types. 
  2. Azure Storage Account – Archiving logs and metrics to a Storage account is useful for audit, static analysis, or back up. Compared to using Azure Monitor Logs or a Log Analytics workspace, Storage is less expensive.
  3. Azure Event hubs – When you send logs and metrics to Event Hubs, you can stream data to external systems such as third-party SIEMs and other Log Analytics solutions.
  4. Azure monitor partner Integrations – Specialized integrations can be made between Azure Monitor and other non-Microsoft monitoring platforms. Integration is useful when you’re already using one of the partners.

Azure Monitor activity log

  • The Azure Monitor activity log is a platform log  in Azure that provides insight into subscription-level events.
  • The activity log includes information like when a resource is modified or a virtual machine is started.
  • You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI.

Note:

  • Entries in the Activity Log are system generated and can’t be changed or deleted.
  • Entries in the Activity Log are representing control plane changes like a virtual machine restart, any non related entries should be written into azure resources log
  • Entries in the Activity Log are typically a result of changes (create, update or delete operations) or an action having been initiated.

Retention period

  • Activity log events are retained in Azure for 90 days and then deleted. 
  • For  longer retention, create a diagnostic setting and route the entries to another location based on your needs.

View the activity log

Monitor menu, the only filter is on the subscription. If you open it from a resource’s menu, the filter is set to that resource. 

Download the activity log

Select Download as CSV to download the events in the current view

View change history

Select the Change history tab to view any changes on the resource up to 30 minutes before and after the time of the operation.

Selecting a change opens the Change history page. This page displays the changes to the resource. In the following example, you can see that the VM changed sizes. 

Other methods to retrieve activity log events

You can also access activity log events by using the following methods:

Send to Log Analytics workspace

Select Export Activity Logs to send the activity log to a Log Analytics workspace.

You can send the activity log from any single subscription to up to five workspaces.

Activity log data in a Log Analytics workspace is stored in a table called AzureActivity that you can retrieve with a  log query in log analytics.

For example, to view a count of activity log records for each category, use the following query:

AzureActivity
| summarize count() by CategoryValue

To retrieve all records in the administrative category, use the following query:

AzureActivity
| where CategoryValue == "Administrative"

Requirements and limitations

Time it takes logs to reach destination

After you set up a diagnostic setting, data should start flowing to your selected destination(s) within 90 minutes.

Metrics as a source

  • Sending multi-dimensional metrics via diagnostic settings isn’t currently supported.
  • Not all metrics are exportable with diagnostic settings.

Destination limitations

Any destinations for the diagnostic setting must be created before you create the diagnostic settings.

The following table provides unique requirements for each destination including any regional restrictions.