Common and service-specific schema for Azure Resource Logs
Resource logs were previously known as diagnostic logs. The name was changed in October 2019 as the types of logs gathered by Azure Monitor shifted to include more than just the Azure resource. Also, the list of resource log categories you can collect used to be listed in this article. They are now at Resource log categories.
Azure Monitor resource logs are logs emitted by Azure services that describe the operation of those services or resources. All resource logs available through Azure Monitor share a common top-level schema, with flexibility for each service to emit unique properties for their own events.
A combination of the resource type (available in the
resourceId property) and the
category uniquely identify a schema. This article describes the top-level schema for resource logs and links to the schemata for each service.
Top-level common schema
|time||Required||The timestamp (UTC) of the event.|
|resourceId||Required||The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.|
|tenantId||Required for tenant logs||The tenant ID of the Active Directory tenant that this event is tied to. This property is only used for tenant-level logs, it does not appear in resource-level logs.|
|operationName||Required||The name of the operation represented by this event. If the event represents an Azure RBAC operation, this is the Azure RBAC operation name (for example, Microsoft.Storage/storageAccounts/blobServices/blobs/Read). Typically modeled in the form of a Resource Manager operation, even if they are not actual documented Resource Manager operations (
|operationVersion||Optional||The api-version associated with the operation, if the operationName was performed using an API (for example,
|category||Required||The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are "Audit" "Operational" "Execution" and "Request."|
|resultType||Optional||The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.|
|resultSignature||Optional||The sub status of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.|
|resultDescription||Optional||The static text description of this operation, for example "Get storage file."|
|durationMs||Optional||The duration of the operation in milliseconds.|
|callerIpAddress||Optional||The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.|
|correlationId||Optional||A GUID used to group together a set of related events. Typically, if two events have the same operationName but two different statuses (for example "Started" and "Succeeded"), they share the same correlation ID. This may also represent other relationships between events.|
|identity||Optional||A JSON blob that describes the identity of the user or application that performed the operation. Typically this field includes the authorization and claims / JWT token from active directory.|
|Level||Optional||The severity level of the event. Must be one of Informational, Warning, Error, or Critical.|
|location||Optional||The region of the resource emitting the event, for example "East US" or "France South"|
|properties||Optional||Any extended properties related to this particular category of events. All custom/unique properties must be put inside this "Part B" of the schema.|
The schema for resource logs varies depending on the resource and log category. This list shows services that make available resource logs and links to the service and category-specific schema where available. This list is changing all the time as new services are added, so if you don't see what you need below, use a search engine to discover additional documentation. Feel free to open a GitHub issue on this article so we can update it.