We have seen how to send the activity logs generated for a subscription to log analytics workspace. It makes it easy to analyze all the logs at one place.
Let’s see how to collect the resource logs and analyze them using Log Analytics workspace.
Activity Log vs Resource Logs
Activity logs are generated only when somebody is performing some activity on Azure resources, e.g. creating / modifying / deleting the resource itself.
In this article, we will create a demo in which resource logs would be sent to log analytics workspace. We will use key vault as an example, but the steps to enable resource logs on any other resource types are almost the same.
Create Log Analytics Workspace
Login to Azure Portal and search for
log analytics workspaces in the search box provided in top navigation bar. A new panel as shown below will open. Then click on Add button to add a new workspace.
On the Add new workspace panel, provide below inputs:
- Subscription, a valid Azure subscription
- Resource Group, a logical container for the new resource
- Name, a valid name for the new resource
- Region, an Azure region, physical location for the new resource
Then click on Review + Create button. After validation is successful, clikc on Create button to create the resource.
This will select a default pricing tier of Pay-as-you-go which will not incur any changes until you start collecting a sufficient amount of data. There is no charge for collecting the Activity log.
Key Vault: Diagnostic Setting
Login to Azure Portal and open the key vault on which you want to enable resource logs and select Monitoring -> Diagnostic Setting option from left navigation. Then click on Add diagnostic setting option.
NOTE: Although we are using key vault as an example, any type of Azure resource can be used here. The steps to enable diagnostic settings are almost the same
Then, provide below information on the new diagnostic setting panel:
- Name, a valid name for this setting
- Category details, select both check boxes under logs and metrics
- Destination Details, select send to log analytics option. In the same section provide a valid
log analytics workspacewhich was created for this purpose.
Then hit the Save button.
Viewing the resource logs
Then in the query editor run the query
AzureDiagnostics to see the audit events. The service shown in the example writes resource logs to the AzureDiagnostics table, but other services may write to other tables.
For more information, See Supported services, schemas, and categories for Azure Resource Logs for tables used by different Azure services.
For your information about log queries, see Get started with log queries in Azure Monitor for a tutorial on writing log queries.
I hope you enjoyed this article. Let me know your thoughts.