Common and service-specific schemas for Azure resource logs

Note

Resource logs were previously known as diagnostic logs. The name was changed in October 2019 as the types of logs gathered by Azure Monitor shifted to include more than just the Azure resource.

This article used to list resource log categories that you can collect. That list is now at Resource log categories.

Azure Monitor resource logs are logs emitted by Azure services that describe the operation of those services or resources. All resource logs available through Azure Monitor share a common top-level schema. Each service has the flexibility to emit unique properties for its own events.

A combination of the resource type (available in the resourceId property) and the category uniquely identify a schema. This article describes the top-level schemas for resource logs and links to the schemata for each service.

Top-level common schema

Note

The schema described here is valid when resource logs are sent to Azure storage or to an event hub. When the logs are sent to a Log Analytics workspace, the column names may be different. See Standard columns in Azure Monitor Logs for columns common to all tables in a Log Analytics workspace and Azure Monitor data reference for a reference of different tables.

Name Required or optional Description
time Required The timestamp (UTC) of the event.
resourceId Required The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.
tenantId Required for tenant logs The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs.
operationName Required The name of the operation that this event represents. If the event represents an Azure role-based access control (RBAC) operation, this is the Azure RBAC operation name (for example, Microsoft.Storage/storageAccounts/blobServices/blobs/Read). This name is typically modeled in the form of an Azure Resource Manager operation, even if it's not a documented Resource Manager operation: (Microsoft.<providerName>/<resourceType>/<subtype>/<Write/Read/Delete/Action>).
operationVersion Optional The API version associated with the operation, if operationName was performed through an API (for example, http://myservice.windowsazure.net/object?api-version=2016-06-01). If no API corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future.
category Required The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are Audit, Operational, Execution, and Request.
resultType Optional The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.
resultSignature Optional The substatus of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.
resultDescription Optional The static text description of this operation; for example, Get storage file.
durationMs Optional The duration of the operation in milliseconds.
callerIpAddress Optional The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.
correlationId Optional A GUID that's used to group together a set of related events. Typically, if two events have the same operationName value but two different statuses (for example, Started and Succeeded), they share the same correlationID value. This might also represent other relationships between events.
identity Optional A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory.
Level Optional The severity level of the event. Must be one of Informational, Warning, Error, or Critical.
location Optional The region of the resource emitting the event; for example, East US or France South.
properties Optional Any extended properties related to this category of events. All custom or unique properties must be put inside this "Part B" of the schema.

Service-specific schemas

The schema for resource logs varies depending on the resource and log category. The following list shows Azure services that make available resource logs and links to the service and category-specific schemas (where available). The list changes as new services are added. If you don't see what you need, feel free to open a GitHub issue on this article so we can update it.

Service or feature Schema and documentation
Azure Active Directory Overview, Audit log schema, Sign-ins schema
Azure Analysis Services Azure Analysis Services: Set up diagnostic logging
Azure API Management API Management resource logs
Azure App Service App Service logs
Azure Application Gateway Logging for Application Gateway
Azure Automation Log Analytics for Azure Automation
Azure Batch Azure Batch logging
Azure Cognitive Search Cognitive Search monitoring data reference (schemas)
Azure Cognitive Services Logging for Azure Cognitive Services
Azure Container Instances Logging for Azure Container Instances
Azure Container Registry Logging for Azure Container Registry
Azure Content Delivery Network Diagnostic logs for Azure Content Delivery Network
Azure Cosmos DB Azure Cosmos DB logging
Azure Data Explorer Azure Data Explorer logs
Azure Data Factory Monitor Data Factory by using Azure Monitor
Azure Data Lake Analytics Accessing logs for Azure Data Lake Analytics
Azure Data Lake Storage Accessing logs for Azure Data Lake Storage
Azure Database for MySQL Azure Database for MySQL diagnostic logs
Azure Database for PostgreSQL Azure Database for PostgreSQL logs
Azure Databricks Diagnostic logging in Azure Databricks
Azure DDoS Protection Logging for Azure DDoS Protection Standard
Azure Digital Twins Set up Azure Digital Twins diagnostics
Azure Event Hubs Azure Event Hubs logs
Azure ExpressRoute Monitoring Azure ExpressRoute
Azure Firewall Logging for Azure Firewall
Azure Front Door Logging for Azure Front Door
Azure IoT Hub IoT Hub operations
Azure IoT Hub Device Provisioning Service Device Provisioning Service operations
Azure Key Vault Azure Key Vault logging
Azure Kubernetes Service Azure Kubernetes Service logging
Azure Load Balancer Log Analytics for Azure Load Balancer
Azure Load Testing Azure Load Testing logs
Azure Logic Apps Logic Apps B2B custom tracking schema
Azure Machine Learning Diagnostic logging in Azure Machine Learning
Azure Media Services Media Services monitoring schemas
Network security groups Log Analytics for network security groups (NSGs)
Azure Power BI Embedded Logging for Power BI Embedded in Azure
Recovery Services Data model for Azure Backup
Azure Service Bus Azure Service Bus logs
Azure SQL Database Azure SQL Database logging
Azure Storage Blobs, Files, Queues, Tables
Azure Stream Analytics Job logs
Azure Traffic Manager Traffic Manager log schema
Azure Video Indexer Monitor Azure Video Indexer data reference
Azure Virtual Network Schema not available
Virtual network gateways Logging for Virtual Network Gateways

Next steps