Common and service-specific schema for Azure Resource Logs

Note

Resource logs were previously known as diagnostic logs. The name was changed in October 2019 as the types of logs gathered by Azure Monitor shifted to include more than just the Azure resource. Also, the list of resource log categories you can collect used to be listed in this article. They are now at Resource log categories.

Azure Monitor resource logs are logs emitted by Azure services that describe the operation of those services or resources. All resource logs available through Azure Monitor share a common top-level schema, with flexibility for each service to emit unique properties for their own events.

A combination of the resource type (available in the resourceId property) and the category uniquely identify a schema. This article describes the top-level schema for resource logs and links to the schemata for each service.

Top-level common schema

Name Required/Optional Description
time Required The timestamp (UTC) of the event.
resourceId Required The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.
tenantId Required for tenant logs The tenant ID of the Active Directory tenant that this event is tied to. This property is only used for tenant-level logs, it does not appear in resource-level logs.
operationName Required The name of the operation represented by this event. If the event represents an Azure RBAC operation, this is the Azure RBAC operation name (for example, Microsoft.Storage/storageAccounts/blobServices/blobs/Read). Typically modeled in the form of a Resource Manager operation, even if they are not actual documented Resource Manager operations (Microsoft.<providerName>/<resourceType>/<subtype>/<Write/Read/Delete/Action>)
operationVersion Optional The api-version associated with the operation, if the operationName was performed using an API (for example, http://myservice.windowsazure.net/object?api-version=2016-06-01). If there is no API that corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future.
category Required The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are "Audit" "Operational" "Execution" and "Request."
resultType Optional The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.
resultSignature Optional The sub status of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.
resultDescription Optional The static text description of this operation, for example "Get storage file."
durationMs Optional The duration of the operation in milliseconds.
callerIpAddress Optional The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.
correlationId Optional A GUID used to group together a set of related events. Typically, if two events have the same operationName but two different statuses (for example "Started" and "Succeeded"), they share the same correlation ID. This may also represent other relationships between events.
identity Optional A JSON blob that describes the identity of the user or application that performed the operation. Typically this field includes the authorization and claims / JWT token from active directory.
Level Optional The severity level of the event. Must be one of Informational, Warning, Error, or Critical.
location Optional The region of the resource emitting the event, for example "East US" or "France South"
properties Optional Any extended properties related to this particular category of events. All custom/unique properties must be put inside this "Part B" of the schema.

Service-specific schemas

The schema for resource logs varies depending on the resource and log category. This list shows services that make available resource logs and links to the service and category-specific schema where available. This list is changing all the time as new services are added, so if you don't see what you need below, use a search engine to discover additional documentation. Feel free to open a GitHub issue on this article so we can update it.

Service Schema & Docs
Azure Active Directory Overview, Audit log schema and Sign-ins schema
Analysis Services Azure Analysis Services - Setup diagnostic logging
API Management API Management Resource Logs
App Service App Service Logs
Application Gateways Logging for Application Gateway
Azure Automation Log analytics for Azure Automation
Azure Batch Azure Batch logging
Cognitive Services Logging for Azure Cognitive Services
Container Instances Logging for Azure Container Instances
Container Registry Logging for Azure Container Registry
Content Delivery Network Azure Logs for CDN
CosmosDB Azure Cosmos DB Logging
Data Factory Monitor Data Factories using Azure Monitor
Data Lake Analytics Accessing logs for Azure Data Lake Analytics
Data Lake Store Accessing logs for Azure Data Lake Store
Azure Data Explorer Azure Data Explorer logs
Azure Database for MySQL Azure Database for MySQL diagnostic logs
Azure Database for PostgreSQL Azure Database for PostgreSQL logs
Azure Databricks Diagnostic logging in Azure Databricks
Azure Machine Learning Diagnostic logging in Azure Machine Learning
DDoS Protection Logging for Azure DDoS Protection Standard
Azure Digital Twins Set up Azure Digital Twins Diagnostics
Event Hubs Azure Event Hubs logs
Express Route Schema not available.
Azure Firewall Logging for Azure Firewall
Front Door Logging for Front Door
IoT Hub IoT Hub Operations
Key Vault Azure Key Vault Logging
Kubernetes Service Azure Kubernetes Logging
Load Balancer Log analytics for Azure Load Balancer
Logic Apps Logic Apps B2B custom tracking schema
Media Services Media services monitoring schemas
Network Security Groups Log analytics for network security groups (NSGs)
Power BI Dedicated Logging for Power BI Embedded in Azure
Recovery Services Data Model for Azure Backup
Search Enabling and using Search Traffic Analytics
Service Bus Azure Service Bus logs
SQL Database Azure SQL Database logging
Stream Analytics Job logs
Storage Blobs, Files, Queues, Tables
Traffic Manager Traffic Manager Log schema
Virtual Networks Schema not available.
Virtual Network Gateways Schema not available.

Next Steps