- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
- Restore Azure Files with PowerShell - Fri, Jan 28 2022
- Bulk restore deleted Azure AD users - Wed, Dec 29 2021
- Retrieving Activity logs at the resource level
- Retrieve Activity logs from a Log Analytics workspace
- Get all "write" activities performed in the last 90 days
- Get all logs from a specific resource group
- Get the details of public IP addresses that have been created over the past five days
- Retrieve logs from a specific category, such as write, administrative, action, delete, or ResourceHealth
Retrieving Activity logs at the resource level ^
In Azure, each resource, resource group, and subscription has a section called "Activity logs" where we can check individual activities. We can use this method to retrieve activity logs that are available for a specific resource. The example below gives us the logs from a subscription, which is limited to 1000 results.
Get-AzActivityLog | select Properties, Caller, Category, EventName, EventTimestamp, Level, Status
We can also specify a resource group, resourceID, or a specific time window to narrow down the results.
Get-AzActivityLog -ResourceId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.xxxxxxx/ " Get-AzActivityLog -ResourceGroupName RG01 Get-AzActivityLog -StartTime "01/11/2021" -EndTime "02/11/2021"
Although it seems very convenient to use a built-in PowerShell cmdlet to get activity logs easily, it can be difficult to retrieve all logs across multiple subscriptions, iterating through each subscription. Instead, we can simply send all activity logs from all subscriptions to a specific Log Analytics workspace. This way, we can run Kusto queries in PowerShell against the workspace where we have all logs and generate reports much more easily.
Retrieve Activity logs from a Log Analytics workspace ^
To combine all activity logs from different subscriptions in a central Log Analytics workspace, we first need to configure the subscriptions to send their Activity Logs to the workspace. This one-off configuration can be performed through the subscription's Diagnostics settings in Azure Portal.
Use the Diagnostics settings at the subscription level to configure sending specific logs to Log Analytics workspaces as well as other destinations, such as storage accounts, event hubs, or other partner solutions.
Once we've configured the subscription to send Activity logs to the Log Analytics workspace, we can retrieve logs from a specific resource, resource group, or subscription. Alternatively, we can use Kusto queries in PowerShell against Log Analytics workspaces to get logs from multiple subscriptions that have been configured to send logs to these workspaces.
Once the subscriptions have been configured, we can get logs from the Log Analytics instance using a combination of a Kusto query and a PowerShell command. The query below returns all Azure activities on virtual machines over the past 10 days.
$logQuery = " AzureActivity | where TimeGenerated > ago(10d) | where _ResourceId contains '/microsoft.compute/virtualmachines/' "
This command allows us to run the above query using the Invoke-AzOperationalInsightsQuery cmdlet. To execute this command, we need the workspaceId of the Log Analytics workspace to which we want to send the query. For this, run the following command to get the workspaceId.
Get-AzOperationalInsightsWorkspace -ResourceGroupName RGNAME -Name WorkspaceName | select CustomerId
Invoke-AzOperationalInsightsQuery -Query $logQuery -WorkspaceId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | select -ExpandProperty results | select subscriptionId,ActivityStatusValue,caller, OperationNameValue, _resourceId | fl *
If needed, you can also export these logs to a CSV file for further analysis.
Invoke-AzOperationalInsightsQuery -Query $logQuery -WorkspaceId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | select -ExpandProperty results | select subscriptionId,ActivityStatusValue,caller, OperationNameValue, _resourceId | export-csv -Delimiter "," -NoTypeInformation -Path "export.csv"
Below are some useful queries that you can use to get related logs.
Subscribe to 4sysops newsletter!
Get all "write" activities performed in the last 90 days ^
$logQuery = " AzureActivity | where TimeGenerated > ago(90d) | where OperationNameValue contains 'write' "
Get all logs from a specific resource group ^
$logQuery = " AzureActivity | where ResourceGroup =~ 'latest' "
Get the details of public IP addresses that have been created over the past five days ^
$logQuery = " AzureActivity | where TimeGenerated > ago(5d) | where ResourceProviderValue =~ 'MICROSOFT.NETWORK' and OperationNameValue =~ 'MICROSOFT.NETWORK/PUBLICIPADDRESSES/WRITE' and ActivitySubstatusValue =~ 'Created' "
Retrieve logs from a specific category, such as write, administrative, action, delete, or ResourceHealth ^
$logQuery = " AzureActivity | where CategoryValue =~ 'ResourceHealth' "
Using Log Analytic workspaces for central activity monitoring is very convenient. Querying against a single workspace for all resources across multiple subscriptions is the easiest way to get quicker results in Azure. Making use of Kusto queries along with PowerShell is also a great way to automate activity log management.