Azure Monitoring and Logging

#logging #auditing

Azure Platform Logs includes Resource Logs, Activity Logs, and AAD logs.

• Activity Logs are subscription-level control plane logs, for example, creating a key vault resource
• Resource Logs (previously known as Diagnostic Logs) are resource-level data access plane logs, for example, getting a key from a key vault. These are events related to resource usage, that is, operations performed within resources.

• Activity Logs are automatically generated and available. There is a hard limit of 90 day retention, unless they logs are forward somewhere else.
  • There is basic log search capabilities in the portal. For more advanced search capabilities with KQL the logs must be exported to a Log Analytics Workspace.
• Resource Logs are automatically generated, but they must be explicitly configured to be sent somewhere, using Diagnostic settings, before they are available for access
• Through Diagnostic Settings logs can be sent to one of the following:
  • Log Analytics Workspace
  • Event Hub
  • Azure Storage
  • 3rd party partner integration