Azure Activity Logs
Updated: Nov 14, 2019
The Azure Activity Log provides a place to store and view important events regarding your subscription. It tracks changes (create, update, delete) to the resources in your subscription, and it shows you the "who, what, and when" of the change.
Each Azure Subscription gets one Activity Log. Events in the log are stored for 90 days.
There's two ways to view the Activity Log:
You can go into a particular resource (like a Subscription, Virtual Network, etc.) and click on Activity Log in the resource's menu. This will show you only the events that pertain to that particular resource.
The other way is to go to into Azure Monitor and click on Activity Log in the menu. This will show you events from all subscriptions and resources that you have access to.
It is recommended to collect Activity Log entries in a Log Analytics Workspace using Azure Monitor. There are some major benefits in setting this up:
The biggest benefit in doing this is that Azure Monitor can store the logs for longer than 90 days. The Activity Log holds very important data, so in my opinion it is crucial to be able to view more than 90 days worth of logs.
If you have multiple subscriptions, then this can consolidate your Activity Logs from all subscriptions into one place.
You can use the powerful Kusto Query Language (KQL) in Azure Monitor to run complex queries against your Activity Log.
You can install the Activity Log Analytics solution. This solution is a set of pre-packaged queries, views, and visualizations for analyzing your Activity Log records.