Monitoring Azure Activity Log using OMS
Although Azure OMS is a great tool to collect and analyse logs and counters from various kinds of systems, it's functionality is not limited to these. Recently, the ability to log the activity of your Azure subscription, such as resource creation and removal and delegation actions was added to OMS.
To get such information logged in OMS, you have to connect your subscription to the workspace. Navigate the the workspace blade and select "Azure Activity Log" under "Workspace Data Sources".
The subscription is connected, so let's take the creation of a virtual machine for example.
The below query for activity log regarding the resource group "BlogVirtualMachines" brings back a lot of results related to the deployment, the storage account, the networking components, the virtual machine and many others within that resource group.
Let's expand a few to see the information inside. The "Create Deployment" record shows that a deployment has started on the "BlogVirtualMachines" resource group, by a specific user and his public IP address.
The "Create or Update Virtual Machine" record shows that a virtual machine was created in the specific resource group and subscription and the user that submitted the request.
Role assignments are also being logged. Below is the record of a successful role assignment that contains the user that submitted the request along with the IP address and more details about the request.
Having the above information collected on OMS gives you the ability to review all operations performed on the subscription which is vital when it comes to auditing and change management.
Have fun!
To get such information logged in OMS, you have to connect your subscription to the workspace. Navigate the the workspace blade and select "Azure Activity Log" under "Workspace Data Sources".
The subscription is connected, so let's take the creation of a virtual machine for example.
The below query for activity log regarding the resource group "BlogVirtualMachines" brings back a lot of results related to the deployment, the storage account, the networking components, the virtual machine and many others within that resource group.
Let's expand a few to see the information inside. The "Create Deployment" record shows that a deployment has started on the "BlogVirtualMachines" resource group, by a specific user and his public IP address.
The "Create or Update Virtual Machine" record shows that a virtual machine was created in the specific resource group and subscription and the user that submitted the request.
Role assignments are also being logged. Below is the record of a successful role assignment that contains the user that submitted the request along with the IP address and more details about the request.
Having the above information collected on OMS gives you the ability to review all operations performed on the subscription which is vital when it comes to auditing and change management.
Have fun!
Related articles
Monitoring Microsoft SQL using OMS
Monitoring Azure Activity Log using OMS
Monitoring Azure Activity Log using OMS