View activity logs to monitor actions on resources

Through activity logs, you can determine:

  • what operations were taken on the resources in your subscription
  • who started the operation
  • when the operation occurred
  • the status of the operation
  • the values of other properties that might help you research the operation

The activity log contains all write operations (PUT, POST, DELETE) for your resources. It doesn't include read operations (GET). For a list of resource actions, see Azure Resource Manager Resource Provider operations. You can use the activity logs to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn't more than 90 days in the past.

You can retrieve information from the activity logs through the portal, PowerShell, Azure CLI, Insights REST API, or Insights .NET Library.

Azure portal

To view the activity logs through the portal, follow these steps:

  1. On the Azure portal menu, select Monitor, or search for and select Monitor from any page.

    Select monitor

  2. Select Activity Log.

    Select activity log

  3. You see a summary of recent operations. A default set of filters is applied to the operations. Notice the information on the summary includes who started the action and when it happened.

    View summary of recent operations

  4. To quickly run a pre-defined set of filters, select Quick Insights.

    Select quick insights

  5. Select one of the options. For example, select Failed deployments to see errors from deployments.

    Select failed deployments

  6. Notice the filters have been changed to focus on deployment errors in the last 24 hours. Only operations that match the filters are displayed.

    View filters

  7. To focus on specific operations, change the filters or apply new ones. For example, the following image shows a new value for the Timespan and Resource type is set to storage accounts.

    Set filter options

  8. If you need to run the query again later, select Pin current filters.

    Pin filters

  9. Give the filter a name.

    Name filters

  10. The filter is available in the dashboard. On the Azure portal menu, select Dashboard.

    Show filter on dashboard

  11. From the portal, you can view changes to a resource. Go back to the default view in Monitor, and select an operation that involved changing a resource.

    Select operation

  12. Select Change history (Preview) and pick one of the available operations.

    Select change history

  13. The changes in the resource are displayed.

    Show changes

To learn more about change history, see Get resource changes.

PowerShell

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

To retrieve log entries, run the Get-AzLog command. You provide additional parameters to filter the list of entries. If you don't specify a start and end time, entries for the last seven days are returned.

Get-AzLog -ResourceGroup ExampleGroup

The following example shows how to use the activity log to research operations taken during a specified time. The start and end dates are specified in a date format.

Get-AzLog -ResourceGroup ExampleGroup -StartTime 2019-05-05T06:00 -EndTime 2019-05-09T06:00

Or, you can use date functions to specify the date range, such as the last 14 days.

Get-AzLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14)

You can look up the actions taken by a particular user.

Get-AzLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14) -Caller someone@contoso.com

You can filter for failed operations.

Get-AzLog -ResourceGroup ExampleGroup -Status Failed

You can focus on one error by looking at the status message for that entry.

(Get-AzLog -ResourceGroup ExampleGroup -Status Failed).Properties.Content.statusMessage | ConvertFrom-Json

You can select specific values to limit the data that is returned.

Get-AzLog -ResourceGroupName ExampleGroup | Format-table EventTimeStamp, Caller, @{n='Operation'; e={$_.OperationName.value}}, @{n='Status'; e={$_.Status.value}}, @{n='SubStatus'; e={$_.SubStatus.LocalizedValue}}

Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. You can filter the results for what you are looking for by providing search criteria. For example, you can filter by the type of operation.

Get-AzLog -ResourceGroup ExampleGroup | Where-Object {$_.OperationName.value -eq "Microsoft.Resources/deployments/write"}

You can use Resource Graph to see the change history for a resource. For more information, see Get resource changes.

Azure CLI

To retrieve log entries, run the az monitor activity-log list command with an offset to indicate the time span.

az monitor activity-log list --resource-group ExampleGroup --offset 7d

The following example shows how to use the activity log to research operations taken during a specified time. The start and end dates are specified in a date format.

az monitor activity-log list -g ExampleGroup --start-time 2019-05-01 --end-time 2019-05-15

You can look up the actions taken by a particular user, even for a resource group that no longer exists.

az monitor activity-log list -g ExampleGroup --caller someone@contoso.com --offset 5d

You can filter for failed operations.

az monitor activity-log list -g ExampleGroup --status Failed --offset 1d

You can focus on one error by looking at the status message for that entry.

az monitor activity-log list -g ExampleGroup --status Failed --offset 1d --query [].properties.statusMessage

You can select specific values to limit the data that is returned.

az monitor activity-log list -g ExampleGroup --offset 1d --query '[].{Operation: operationName.value, Status: status.value, SubStatus: subStatus.localizedValue}'

Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. You can filter the results for what you are looking for by providing search criteria. For example, you can filter by the type of operation.

az monitor activity-log list -g ExampleGroup --offset 1d --query "[?operationName.value=='Microsoft.Storage/storageAccounts/write']"

You can use Resource Graph to see the change history for a resource. For more information, see Get resource changes.

REST API

The REST operations for working with the activity log are part of the Insights REST API. To retrieve activity log events, see List the management events in a subscription.

Next steps