View activity logs to audit actions on resources

Through activity logs, you can determine:

  • what operations were taken on the resources in your subscription
  • who started the operation
  • when the operation occurred
  • the status of the operation
  • the values of other properties that might help you research the operation

The activity log contains all write operations (PUT, POST, DELETE) performed on your resources. It doesn't include read operations (GET). For a list of resource actions, see Azure Resource Manager Resource Provider operations. You can use the audit logs to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn't more than 90 days in the past.

You can retrieve information from the activity logs through the portal, PowerShell, Azure CLI, Insights REST API, or Insights .NET Library.

The Azure portal

  1. To view the activity logs through the portal, select Monitor.

    Select monitor

  2. Select Activity Log.

    Select activity log

  3. You see a summary of recent operations. A default set of filters is applied to the operations.

    View summary of recent operations

  4. To quickly run a pre-defined set of filters, select Quick Insights and pick one of the options.

    select query

  5. To focus on specific operations, change the filters or apply new ones. For example, the following image shows a new value for the Timespan and Resource type is set to storage accounts.

    Set filter options

  6. If you need to run the query again later, select Pin current filters.

    Pin filters

  7. Give the filter a name.

    Name filters

  8. The filter is available in the dashboard.

    Show filter on dashboard

PowerShell

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

  • To retrieve log entries, run the Get-AzLog command. You provide additional parameters to filter the list of entries. If you don't specify a start and end time, entries for the last seven days are returned.

    Get-AzLog -ResourceGroup ExampleGroup
    

    The following example shows how to use the activity log to research operations taken during a specified time. The start and end dates are specified in a date format.

    Get-AzLog -ResourceGroup ExampleGroup -StartTime 2019-01-09T06:00 -EndTime 2019-01-15T06:00
    

    Or, you can use date functions to specify the date range, such as the last 14 days.

    Get-AzLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14)
    
  • You can look up the actions taken by a particular user, even for a resource group that no longer exists.

    Get-AzLog -ResourceGroup deletedgroup -StartTime (Get-Date).AddDays(-14) -Caller someone@contoso.com
    
  • You can filter for failed operations.

    Get-AzLog -ResourceGroup ExampleGroup -Status Failed
    
  • You can focus on one error by looking at the status message for that entry.

    ((Get-AzLog -ResourceGroup ExampleGroup -Status Failed).Properties[0].Content.statusMessage | ConvertFrom-Json).error
    
  • You can select specific values to limit the data that is returned.

    Get-AzLog -ResourceGroupName ExampleGroup | Format-table EventTimeStamp, Caller, @{n='Operation'; e={$_.OperationName.value}}, @{n='Status'; e={$_.Status.value}}, @{n='SubStatus'; e={$_.SubStatus.LocalizedValue}}
    
  • Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. You can filter the results for what you are looking for by providing search criteria. For example, you can filter by the type of operation.

    Get-AzLog -ResourceGroup ExampleGroup | Where-Object {$_.OperationName.value -eq "Microsoft.Resources/deployments/write"}
    

Azure CLI

  • To retrieve log entries, run the az monitor activity-log list command with an offset to indicate the time span.

    az monitor activity-log list --resource-group ExampleGroup --offset 7d
    

    The following example shows how to use the activity log to research operations taken during a specified time. The start and end dates are specified in a date format.

    az monitor activity-log list -g ExampleGroup --start-time 2019-01-01 --end-time 2019-01-15
    
  • You can look up the actions taken by a particular user, even for a resource group that no longer exists.

    az monitor activity-log list -g ExampleGroup --caller someone@contoso.com --offset 5d
    
  • You can filter for failed operations.

    az monitor activity-log list -g demoRG --status Failed --offset 1d
    
  • You can focus on one error by looking at the status message for that entry.

    az monitor activity-log list -g ExampleGroup --status Failed --offset 1d --query [].properties.statusMessage
    
  • You can select specific values to limit the data that is returned.

    az monitor activity-log list -g ExampleGroup --offset 1d --query '[].{Operation: operationName.value, Status: status.value, SubStatus: subStatus.localizedValue}'
    
  • Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. You can filter the results for what you are looking for by providing search criteria. For example, you can filter by the type of operation.

    az monitor activity-log list -g ExampleGroup --offset 1d --query "[?operationName.value=='Microsoft.Storage/storageAccounts/write']"
    

REST API

The REST operations for working with the activity log are part of the Insights REST API. To retrieve activity log events, see List the management events in a subscription.

Next steps