View activity logs to audit actions on resources
Through activity logs, you can determine:
- what operations were taken on the resources in your subscription
- who initiated the operation (although operations initiated by a backend service do not return a user as the caller)
- when the operation occurred
- the status of the operation
- the values of other properties that might help you research the operation
The activity log contains all write operations (PUT, POST, DELETE) performed on your resources. It does not include read operations (GET). You can use the audit logs to find an error when troubleshooting or to monitor how a user in your organization modified a resource.
Activity logs are retained for 90 days. You can query for any range of dates, as long as the starting date is not more than 90 days in the past.
You can retrieve information from the activity logs through the portal, PowerShell, Azure CLI, Insights REST API, or Insights .NET Library.
To view the activity logs through the portal, select Monitor.
Or, to automatically filter the activity log for a particular resource or resource group, select Activity log from that resource blade. Notice that the activity log is automatically filtered by the selected resource.
In the Activity Log blade, you see a summary of recent operations.
To restrict the number of operations displayed, select different conditions. For example, the following image shows the Timespan and Event initiated by fields changed to view the actions taken by a particular user or application for the past month. Select Apply to view the results of your query.
If you need to run the query again later, select Save and give the query a name.
To quickly run a query, you can select one of the built-in queries, such as failed deployments.
The selected query automatically sets the required filter values.
Select one of the operations to see a summary of the event.
To retrieve log entries, run the Get-AzureRmLog command. You provide additional parameters to filter the list of entries. If you do not specify a start and end time, entries for the last hour are returned. For example, to retrieve the operations for a resource group during the past hour run:
Get-AzureRmLog -ResourceGroup ExampleGroup
The following example shows how to use the activity log to research operations taken during a specified time. The start and end dates are specified in a date format.
Get-AzureRmLog -ResourceGroup ExampleGroup -StartTime 2015-08-28T06:00 -EndTime 2015-09-10T06:00
Or, you can use date functions to specify the date range, such as the last 14 days.
Get-AzureRmLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14)
Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. You can filter the results for what you are looking for by providing search criteria. For example, if you are trying to research how a web app was stopped, you could run the following command:
Get-AzureRmLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14) | Where-Object OperationName -eq Microsoft.Web/sites/stop/action
Which for this example shows that a stop action was performed by email@example.com.
Authorization : Scope : /subscriptions/xxxxx/resourcegroups/ExampleGroup/providers/Microsoft.Web/sites/ExampleSite Action : Microsoft.Web/sites/stop/action Role : Subscription Admin Condition : Caller : firstname.lastname@example.org CorrelationId : 84beae59-92aa-4662-a6fc-b6fecc0ff8da EventSource : Administrative EventTimestamp : 8/28/2015 4:08:18 PM OperationName : Microsoft.Web/sites/stop/action ResourceGroupName : ExampleGroup ResourceId : /subscriptions/xxxxx/resourcegroups/ExampleGroup/providers/Microsoft.Web/sites/ExampleSite Status : Succeeded SubscriptionId : xxxxx SubStatus : OK
You can look up the actions taken by a particular user, even for a resource group that no longer exists.
Get-AzureRmLog -ResourceGroup deletedgroup -StartTime (Get-Date).AddDays(-14) -Caller email@example.com
You can filter for failed operations.
Get-AzureRmLog -ResourceGroup ExampleGroup -Status Failed
You can focus on one error by looking at the status message for that entry.
((Get-AzureRmLog -Status Failed -ResourceGroup ExampleGroup -DetailedOutput).Properties.Content["statusMessage"] | ConvertFrom-Json).error
code message ---- ------- DnsRecordInUse DNS record dns.westus.cloudapp.azure.com is already used by another public IP.
To retrieve log entries, you run the azure group log show command.
azure group log show ExampleGroup --json
- Azure Activity logs can be used with Power BI to gain greater insights about the actions in your subscription. See View and analyze Azure Activity Logs in Power BI and more.
- To learn about setting security policies, see Azure Role-based Access Control.
- To learn about the commands for viewing deployment operations, see View deployment operations.
- To learn how to prevent deletions on a resource for all users, see Lock resources with Azure Resource Manager.