Update to Azure Activity log collection and export
The Azure Activity log is a platform log that provides insight into subscription-level events that have occurred in Azure. The method to send Activity log entries to an event hub or storage account or to a Log Analytics workspace has changed to use diagnostic settings. This article describes the difference between the methods and how to clear legacy settings in preparation to change to diagnostic settings.
Differences between methods
Advantages
Using diagnostic settings has the following advantages over the current methods:
- Consistent method for collecting all platform logs.
- Collect Activity log across multiple subscriptions and tenants.
- Filter collection to only collect logs for particular categories.
- Collect all Activity log categories. Some categories are not collected using legacy method.
- Faster latency for log ingestion. The previous method has about 15 minutes latency while diagnostic settings adds only about 1 minute.
Considerations
Consider the following details of Activity log collection using diagnostic settings before enabling this feature.
- The retention setting for collecting the Activity log to Azure storage has been removed meaning that data will be stored indefinitely until you remove it.
- Currently, you can only create a subscription level diagnostic setting using the Azure portal. To use other methods such as PowerShell or CLI, you can create a Resource Manager template.
Differences in data
Diagnostic settings collect the same data as the previous methods used to collect the Activity log with the following current differences:
The following columns have been removed. The replacement for these columns are in a different format, so you may need to modify log queries that use them. You may still see removed columns in the schema, but they won't be populated with data.
| Removed column | Replacement column |
|---|---|
| ActivityStatus | ActivityStatusValue |
| ActivitySubstatus | ActivitySubstatusValue |
| OperationName | OperationNameValue |
| ResourceProvider | ResourceProviderValue |
The following column have been added:
- Authorization_d
- Claims_d
- Properties_d
Work with legacy settings
Legacy settings for collecting the Activity log will continue to work if you don't choose to replace with a diagnostic setting. Use the following method to manage the log profile for a subscription.
From the Azure Monitor menu in the Azure portal, select Activity log.
Click Diagnostic settings.
Click the purple banner for the legacy experience.
See the following articles for details on using the legacy collection methods.
- Collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor
- Export Azure Activity log to storage or Azure Event Hubs
Disable existing settings
You should disable existing collection of the Activity before enabling it using diagnostic settings. Having both enabled may result in duplicate data.
Disable collection into Log Analytics workspace
- Open the Log Analytics workspaces menu in the Azure portal and select the workspace to collect the Activity Log.
- In the Workspace Data Sources section of the workspace's menu, select Azure Activity log.
- Click the subscription you want to disconnect.
- Click Disconnect and then Yes when asked to confirm your choice.
Disable log profile
- Use the procedure described in Work with legacy settings to open legacy settings.
- Disable any current collection to storage or event hubs.
Activity Log monitoring solution
The Azure Log Analytics monitoring solution includes multiple log queries and views for analyzing the Activity Log records in your Log Analytics workspace. This solution uses log data collected in a Log Analytics workspace and will continue to work without any changes if you collect the Activity log using diagnostic settings. See Activity Logs Analytics monitoring solution for details on this solution.