Azure Monitoring Tools Explained – Part 2: Azure Activity Logs
In the first part of this series, we introduced the confusion and complexity that tends to occur when looking at the long list of monitoring tools available for Azure.
We then provided a list of currently available tools that we will explore further.
- Part 2: Activity Logs
- Part 3: Application Insights
- Part 4: Azure Advisor
- Part 5: Azure Alerts
- Part 6: Azure Diagnostics
- Part 7: Azure Metrics
- Part 8: Azure Monitor
- Part 9: Azure Security Center (ASC)
- Part 10: Network Watcher
- Part 11: Operations Management Suite (OMS)
- Part 12: Service Health
- Part 13: System Center Operation Manager (SCOM)
The first tool on the list is Activity Logs.
Azure Activity Logs
The Azure Activity Log is actually a part of the Azure Monitor service/solution. But in short, it logs activities that occur at the Subscription level in Azure.
Of important note, the Activity Log is different from Diagnostic Logs. Activity Logs provide data about the operations on a resource from the outside (the “control plane”). Diagnostics Logs are emitted by a resource and provide information about the operation of that resource (the “data plane”).
Here is the official documentation about Monitor Subscription Activity with the Azure Activity Log.
You can think of it as being like an audit trail for your Azure subscription. If anyone does anything (i.e. deletes a VM, changes an NSG configuration, deploys an expensive service/system), the Azure Activity Logs will record it.
Real World Example
So let’s see how we can use this in the real world.
Let’s take the scenario where someone accidentally (or perhaps maliciously) deleted a Virtual Machine from your Azure subscription. No one is confessing they did it, but you need to determine who, when, and what (though the ‘what’ may be obvious if a service/application is down).
In Azure Activity Logs, we can filter the logs by Subscription, Resource Group, Resouce Type (i.e. Virtual Machines), Operation, etc.
We’re going to focus on the last filter option: Operation. In the Operations filter, if you type the word “Virtual Machine” it will filter the list of operations that occur against that resource type.
Notice that we have Operations like:
- Stop Virtual Machine
- Shutdown Virtual Machine
- Delete Virtual Machine
- Deallocate Virtual Machine
If we select all 4 of those operations (Note: some of the operations may be further down in the list), then we should be able to see when someone deleted a virtual machine, when it occurred, and who actually initiated the delete operation.
So very clearly we can see when the Delete Virtual Machine operation occurred, and by whom (from the Event Initiated By column). But it doesn’t show us what Virtual Machine was deleted. Also, let’s pretend that the ‘Event Initiated By’ showed a generic email address.
If we select the Delete Virtual Machine entry, we get to see the details of the operation. We are able to see a lot more information from the JSON tab.
If we look further into the JSON details, we can actually obtain the name of the individual (again, assuming the email address wasn’t obvious).
A little further down, we can determine the Resource Group and Virtual Machine that was affected.
Conclusion
So that’s how we can use Azure Activity Logs to audit activities that occur within our Azure subscription. You may also have noticed that you can integrate your Azure Activity Logs into the Operations Management Suite (OMS); also known as Log Analytics. We will cover this specific tool in a later post, but in short, the Azure Activity OMS Solution will summarize what’s occurred in your subscription, making it a little easier to investigate.
The next tool in our series will be Application Insights.