Azure Monitor: data generation steps for various categories of Azure Activity Logs

Question

Hello,

I am trying to set up Azure Activity Logs on my Azure Portal using Diagnostic settings. While selecting the categories for Logs generation, I have chosen as Alerts, Security, Service Health, and Autoscale(as my requirements are concerned).

I also tried to create Alert Rules, trigger some security-based events, added service health monitoring, but it did not work for me. I am still unable to receive any data in my Destination Event hub, or in the associated Storage Account. Can someone help me with how the test data should be generated corresponding to the above 4 categories? Kindly help me with the steps to generate logs from these event categories.
Also, would like to know, how much max volume of data Azure Activity Logs can generate in a single day if my Azure Account is used regularly and having normal operations.

Answer 1

HI @Swarada Jalukar ,

Welcome to Microsoft Q&A Forum, thank you for posting your query here!

Please refer to the below doc to know the requirements and limitations if we configure diagnostic settings to send the activity log to different destinations. Diagnostic settings in Azure Monitor - Azure Monitor | Microsoft Learn

Destination limitations:  1. For Storage account: > Don't use an existing storage account that has other, non-monitoring data stored in it. > The storage account needs to be in the same region as the resource being monitored if the resource is regional. > Diagnostic settings can't access storage accounts when virtual networks are enabled. You must enable Allow trusted Microsoft services to bypass this firewall setting in storage accounts so that the Azure Monitor diagnostic settings service is granted access to your storage account. > Azure DNS zone endpoints (preview) and Azure Premium LRS (locally redundant storage) storage accounts aren't supported as a log or metric destination.
2. for Event Hubs:

After you set up a diagnostic setting, data should start flowing to your selected destination(s) within 90 minutes. If you get no information within 24 hours, then you might be experiencing one of the following issues:

I. No logs are being generated.

ii. Something is wrong in the underlying routing mechanism.

Diagnostic settings in Azure Monitor - Azure Monitor | Microsoft Learn

FYI: the respective data can store in the destination as mentioned in below doc.  

Monitor Azure Event Hubs - Azure Event Hubs | Microsoft Learn

If cx has not set up the destination properly, especially the storage account and Event Hub please specify the ollowing criteria:

For Storage account: 

Select your Subscription and the Storage account where you want to store the data.

For Event Hub: 

Specify the following criteria:

• Subscription: The subscription that the event hub is part of.
• Event hub namespace: If you don't have one, you must create one.
• Event hub name (optional): The name to send all data to. If you don't specify a name, an event hub is created for each log category. If you're sending to multiple categories, you might want to specify a name to limit the number of event hubs created. For more information, see Azure Event Hubs quotas and limits.
• Event hub policy name (also optional): A policy defines the permissions that the streaming mechanism has. For more information, see Event Hubs features.

 

So, in order to receive/view the logs in the destination, we have to make sure the requirements met and specifies the destination details properly. 

Please let us know if you have any further queries. I’m happy to assist you further.   

Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.