Update (3/6/2020): There is a new method of ingesting Activity Log data into your Log Analytics Workspace. Please see this article series I wrote here for more information. The new article series discusses using the method outlined in this article as well as the new method, differences between the two, how to utilize a new Kusto Query to pull output from both methods as well as how to utilize PowerShell to export results into CSV.
Log Analytics allows the collection of diagnostic data from many Azure Resources. One of the resources Log Analytics can collect is the Azure Activity Log. Included in the Activity Log is information around Virtual Machine Creations, Updates, and Deletions.
Connecting Azure Activity Log to your Log Analytics Workspace
In order to allow a Log Analytics Workspace to capture data from the Azure Activity Log, go into your Workspace, go to Workspace Data Sources, and click on Azure Activity Log.
After clicking on Azure Activity Log, you can determine whether the Azure Subscription you want to collect Activity Log Data is connected to your Log Analytics Workspace.
Click on the Subscription which will bring up the following dialog. Click Connect.
Once you click connect, you will see that Azure Activity Log for your specified Subscription is now collected to your Log Analytics Workspace.
If you click Refresh, you can confirm that Azure Activity Log is connected to your Log Analytics Workspace.
Inserting Azure Activity Log into Log Analytics Workspace
In order to capture data into your Azure Activity Log and have it inserted into your Log Analytics Workspace, conduct an administrative action. Any new administrative actions you take going forward will be inserts into your Log Analytics Workspace. Any previous Azure Activity Log actions will not be retroactively inserts into your Log Analytics Workspace.
It can take up to 15 minutes for data to be displayed into your Log Analytics Workspace.
To view your Log Analytics data, while in your Workspace, click Logs.
This will bring up the Log Query Viewer for which you can utilize the Kusto Query Language to search for data.
As we are looking for Azure Activity Log data, we can simply search for AzureActivity.
As our intent is to capture information around Virtual Machine creations and deletions, go ahead and create a Virtual Machine and then delete your Virtual Machine. Then wait up to 15 minutes to see the data appear in your Log Analytics Workspace. I won’t go through the process of creating the Virtual Machine and deleting it as that is outside the scope of this article.
Once this is complete, go ahead and click Run again in the Log Query and you should see some new results for the Virtual Machine Creation and Deletion.
You can see the results by typing in AzureActivity again into the Log Query.
You will also see there are many other logs such as Creating the Disk, Creating the Deployment, etc… Then you will see near the top you will start seeing the deletions such as Delete Disk. There are a lot of logs that you may not care about viewing. You may simply care only about the creation of the Virtual Machine and the Deletion.
Therefore, let’s build a Query that will let us filter on the results we want. The Query we will use to search for our Virtual Machine creations is:
AzureActivity | where ResourceProvider == "Microsoft.Compute" and OperationName == "Delete Virtual Machine" or OperationName == "Create or Update Virtual Machine" and ActivitySubstatusValue == "Created" | project TimeGenerated, OperationName, ActivityStatusValue,ActivitySubstatusValue,ResourceGroup,Caller
Breaking this down:
View all Log Analytics Data that relates to the Azure Activity Log
| where ResourceProvider == “Microsoft.Compute”
Filter items where the Resource Provider is Microsoft.Compute. Virtual Machines use the resource provider, Microsoft.Compute
and OperationName == “Delete Virtual Machine”
The Operation must be named Delete Virtual Machine.
or OperationName == “Create or Update Virtual Machine” and ActivitySubstatusValue == “Created”
The Operation may also be called Create or Update Virtual Machine but if it is, the ActivitySubstatusValue must be Created.
| project TimeGenerated, OperationName, ActivityStatusValue,ActivitySubstatusValue,ResourceGroup,Caller
If there is a result, only project (display) these column headers
After running our Log Query, we get the following results:
Pin the Log Query into a Shared Dashboard
Now that we have the results we want, let’s pin it to a Shared Dashboard so we can easily view the results without having to manually query in Log Analytics. Any time a Virtual Machine is created or deleted, the results will be added to the Shared Dashboard.
From the same Log Query Window, click Pin to dashboard.
Choose the shared dashboard you would like to Pin the Log Query to. If you don’t have a Shared Dashboard created already, it will ask you to create one.
The item you will see on your Dashboard looks as such and will automatically be updated as Virtual Machines are Created or Deleted. If you want to edit the Log Query code, you can click on the code icon I call out in the following screenshot.