Overview of Azure platform logs

Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained. This article provides an overview of platform logs including what information they provide and how you can configure them for collection and analysis.

Types of platform logs

The following table lists the specific platform logs that are available at different layers of Azure.

Log Layer Description
Resource logs Azure Resources Provide insight into operations that were performed within an Azure resource (the data plane), for example getting a secret from a Key Vault or making a request to a database. The content of resource logs varies by the Azure service and resource type.

Resource logs were previously referred to as diagnostic logs.
Activity log Azure Subscription Provides insight into the operations on each Azure resource in the subscription from the outside (the management plane) in addition to updates on Service Health events. Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. You can also understand the status of the operation and other relevant properties. There is a single Activity log for each Azure subscription.
Azure Active Directory logs Azure Tenant Contains the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. See What are Azure Active Directory reports? for a complete description of Azure Active Directory Logs.

Note

The Azure Activity Log is primarily for activities that occur in Azure Resource Manager. It does not track resources using the Classic/RDFE model. Some Classic resource types have a proxy resource provider in Azure Resource Manager (for example, Microsoft.ClassicCompute). If you interact with a Classic resource type through Azure Resource Manager using these proxy resource providers, the operations appear in the Activity Log. If you interact with a Classic resource type outside of the Azure Resource Manager proxies, your actions are only recorded in the Operation Log. The Operation Log can be browsed in a separate section of the portal.

Platform logs overview

Viewing platform logs

There are different options for viewing and analyzing the different Azure platform logs.

Destinations

You can send platform logs to one or more of the destinations in the following table depending on your monitoring requirements. Configure destinations for platform logs by creating a Diagnostic setting.

Destination Scenario References
Log Analytics workspace Analyze the logs with other monitoring data and leverage Azure Monitor features such as log queries and alerts. Activity log and Resource logs
Azure Activity Directory logs
Azure storage Archive the logs for audit, static analysis, or backup. Activity log and Resource logs
Azure Activity Directory logs
Event hub Stream the logs to third-party logging and telemetry systems. Activity log and Resource logs
Azure Activity Directory logs

Next steps