View and retrieve Azure Activity log events

The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. This article provides details on different methods for viewing and retrieving Activity Log events.

Azure portal

View the Activity Log for all resources from the Monitor menu in the Azure portal. View the Activity Log for a particular resource from the Activity Log option in that resource's menu.

View Activity Log

You can filter Activity Log events by the following fields:

  • Timespan: The start and end time for events.
  • Category: The event category as described in Categories in the Activity Log.
  • Subscription: One or more Azure subscription names.
  • Resource group: One or more resource groups within the selected subscriptions.
  • Resource (name): - The name of a specific resource.
  • Resource type: The type of resource, for example Microsoft.Compute/virtualmachines.
  • Operation name - The name of an Azure Resource Manager operation, for example Microsoft.SQL/servers/Write.
  • Severity: The severity level of the event. Available values are Informational, Warning, Error, Critical.
  • Event initiated by: The user who performed the operation.
  • Open search: Open text search box that searches for that string across all fields in all events.

Categories in the Activity log

Each event in the Activity Log has a particular category that are described in the following table. For full details on the schemata of these categories, see Azure Activity Log event schema.

Category Description
Administrative Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.

Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. Administrative events also include any changes to role-based access control in a subscription.
Service Health Contains the record of any service health incidents that have occurred in Azure. An example of a Service Health event SQL Azure in East US is experiencing downtime.

Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. These events are only created if you have a resource in the subscription that would be impacted by the event.
Resource Health Contains the record of any resource health events that have occurred to your Azure resources. An example of a Resource Health event is Virtual Machine health status changed to unavailable.

Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
Alert Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
Autoscale Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of an Autoscale event is Autoscale scale up action failed.
Recommendation Contains recommendation events from Azure Advisor.
Security Contains the record of any alerts generated by Azure Security Center. An example of a Security event is Suspicious double extension file executed.
Policy Contains records of all effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource.

View change history

When reviewing the Activity Log, it can help to see what changes happened during that event time. You can view this information with Change history. Select an event from the Activity Log you want to look deeper into. Select the Change history (Preview) tab to view any associated changes with that event.

Change history list for an event

If there are any associated changes with the event, you'll see a list of changes that you can select. This opens up the Change history (Preview) page. On this page you see the changes to the resource. As you can see from the following example, we are able to see not only that the VM changed sizes, but what the previous VM size was before the change and what it was changed to.

Change history page showing differences

To learn more about Change history, see Get resource changes.

PowerShell

Use the Get-AzLog cmdlet to retrieve the Activity Log from PowerShell. Following are some common examples.

Note

Get-AzLog only provides 15 days of history. Use the -MaxEvents parameter to query the last N events beyond 15 days. To access events older than 15 days, use the REST API or SDK. If you do not include StartTime, then the default value is EndTime minus one hour. If you do not include EndTime, then the default value is current time. All times are in UTC.

Get log entries created after a particular date time:

Get-AzLog -StartTime 2016-03-01T10:30

Get log entries between a date time range:

Get-AzLog -StartTime 2015-01-01T10:30 -EndTime 2015-01-01T11:30

Get log entries from a specific resource group:

Get-AzLog -ResourceGroup 'myrg1'

Get log entries from a specific resource provider between a date time range:

Get-AzLog -ResourceProvider 'Microsoft.Web' -StartTime 2015-01-01T10:30 -EndTime 2015-01-01T11:30

Get log entries with a specific caller:

Get-AzLog -Caller 'myname@company.com'

Get the last 1000 events:

Get-AzLog -MaxEvents 1000

CLI

Use az monitor activity-log to retrieve the Activity Log from CLI. Following are some common examples.

View all available options.

az monitor activity-log list -h

Get log entries from a specific resource group:

az monitor activity-log list --resource-group <group name>

Get log entries with a specific caller:

az monitor activity-log list --caller myname@company.com

Get logs by caller on a resource type, within a date range:

az monitor activity-log list --resource-provider Microsoft.Web \
    --caller myname@company.com \
    --start-time 2016-03-08T00:00:00Z \
    --end-time 2016-03-16T00:00:00Z

REST API

Use the Azure Monitor REST API to retrieve the Activity Log from a REST client. Following are some common examples.

Get Activity Logs with filter:

GET https://management.azure.com/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2018-01-21T20:00:00Z' and eventTimestamp le '2018-01-23T20:00:00Z' and resourceGroupName eq 'MSSupportGroup'

Get Activity Logs with filter and select:

GET https://management.azure.com/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2015-01-21T20:00:00Z' and eventTimestamp le '2015-01-23T20:00:00Z' and resourceGroupName eq 'MSSupportGroup'&$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

Get Activity Logs with select:

GET https://management.azure.com/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

Get Activity Logs without filter or select:

GET https://management.azure.com/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01

Activity Logs Analytics monitoring solution

The Azure Log Analytics monitoring solution includes multiple log queries and views for analyzing the Activity Log records in your Log Analytics workspace.

Prerequisites

You must create a diagnostic setting to send the Activity log for your subscription to a Log Analytics workspace. See Collect Azure platform logs in Log Analytics workspace in Azure Monitor.

Install the solution

Use the procedure in Install a monitoring solution to install the Activity Log Analytics solution. There is no additional configuration required.

Use the solution

Click Logs at the top of the Activity Log page to open the Activity Log Analytics monitoring solution for the subscription. Or access all the monitoring solutions in your subscription Monitor menu in the Azure portal. Select More in the Insights section to open the Overview page with the solution tiles. The Azure Activity Logs tile displays a count of the number of AzureActivity records in your workspace.

Azure Activity Logs tile

Click the Azure Activity Logs tile to open the Azure Activity Logs view. The view includes the visualization parts in the following table. Each part lists up to 10 items matching that parts's criteria for the specified time range. You can run a log query that returns all matching records by clicking See all at the bottom of the part.

Azure Activity Logs dashboard

Visualization part Description
Azure Activity Log Entries Shows a bar chart of the top Azure Activity Log entry record totals for the date range that you have selected and shows a list of the top 10 activity callers. Click the bar chart to run a log search for AzureActivity. Click a caller item to run a log search returning all Activity Log entries for that item.
Activity Logs by Status Shows a doughnut chart for Azure Activity Log status for the selected date range and a list of the top ten status records. Click the chart to run a log query for AzureActivity | summarize AggregatedValue = count() by ActivityStatus. Click a status item to run a log search returning all Activity Log entries for that status record.
Activity Logs by Resource Shows the total number of resources with Activity Logs and lists the top ten resources with record counts for each resource. Click the total area to run a log search for AzureActivity | summarize AggregatedValue = count() by Resource, which shows all Azure resources available to the solution. Click a resource to run a log query returning all activity records for that resource.
Activity Logs by Resource Provider Shows the total number of resource providers that produce Activity Logs and lists the top ten. Click the total area to run a log query for AzureActivity | summarize AggregatedValue = count() by ResourceProvider, which shows all Azure resource providers. Click a resource provider to run a log query returning all activity records for the provider.

Next steps