You are currently viewing Analyze activity logs using Azure log analytics

Analyze activity logs using Azure log analytics

In last article, we have seen some basic terms about Azure Monitoring service. In this article, we will try to create a demo based on Azure Monitoring.

What do we want to Achieve ?

Activity log is a Azure platform log, that provides insights into subscription level events. So, let’s say, if a virtual machine is created by a user in a subscription and later modified by other user in the same subscription, this information is logged in activity log.

This activity log can be either viewed in Azure Portal or it can also be retrieved using PowerShell or Azure CLI.

In this demo, let’s see how this activity log for all activities inside a subscription can be sent to log analytics workspace. In log analytics workspace, the logs can be analyzed using log queries.

Let’s begin.

Create Log Analytics Workspace

Login to Azure Portal and search for log analytics workspaces in the search box provided in top navigation bar. A new panel as shown below will open. Then click on Add button to add a new workspace.

Azure Portal: Log Analytics workspaces

On the Add new workspace panel, provide below inputs:

  • Subscription, a valid Azure subscription
  • Resource Group, a logical container for the new resource
  • Name, a valid name for the new resource
  • Region, an Azure region, physical location for the new resource

Then click on Review + Create button. After validation is successful, clikc on Create button to create the resource.

Azure Portal: Create Log Analytics Workspace

This will select a default pricing tier of Pay-as-you-go which will not incur any changes until you start collecting a sufficient amount of data. There is no charge for collecting the Activity log.

Monitoring: Diagnostic Setting

Now in Azure Portal, search for Monitor and it should open Azure Monitor and then select Activity Log from left navigation of Monitor.

Azure Portal: Add diagnostic setting in monitor

On the new panel, click on Add diagnostic setting link. It should open new panel. On the new panel, provide below inputs:

  • Diagnostic setting name, a valid name for the setting e.g. Send to Log Analytics
  • Destination details, select Send logs to Analytics
  • Subscription, a valid Azure subscription
  • Log analytics workspace, a workspace which we created in previous step

Make sure that all the categories are selected.

Azure Portal: Send to log analytics diagnostic settings

Verification

Please note that above diagnostic setting is able to send only new activity logs to the workspace. Old logs would not be sent.

Hence in order to test this, you should perform some activities in your subscription.

Once activities are performed and you want to analyze the logs via analytics workspace, search for Monitor in top navigation search box again and Select Logs from left navigation.

A new panel will open which will ask you to select the scope. Select the log analytics workspace created for this demo from appropriate resource group. The example queries popup may open, which provides a lot of examples grouped by Azure resource type. Close it for now.

In the query editor, write the query AzureActivity | summarize count() by CategoryValue as shown below. Now, if you hit on run button, you would be able to see the activity log summary.

Azure Portal: View the activity logs using Log Analytics workspace

The log queries used for log analytics are written using Kusto Query Language (KQL). Curious minds can refer to the documentation of KQL.

Now, you can create log queries and save them for re-execution whenever you want to analyze activity logs. In addition, we can also create alerts based on this data. But let’s see that in some other article.

I hope you liked this article. Let me know your thoughts.

Leave a Reply