3.8 Azure Activity Log, Diagnostics, and Resource Health
Key Takeaways
- The Azure Activity Log records all management-plane operations on resources — who did what, when, and from where.
- Activity Log events are retained for 90 days by default and can be archived to Log Analytics or Storage for longer retention.
- Diagnostic settings enable you to route platform metrics and logs to Log Analytics, Storage Accounts, or Event Hubs.
- Resource Health provides a personalized dashboard showing the current and historical health status of individual Azure resources.
- Combining Activity Log, Diagnostic Settings, and Azure Monitor Alerts creates a comprehensive monitoring strategy.
Azure Activity Log, Diagnostics, and Resource Health
Quick Answer: Activity Log = records WHO did WHAT on your resources (audit trail). Diagnostic Settings = route metrics/logs to storage destinations. Resource Health = shows health of individual resources.
Azure Activity Log
The Activity Log (formerly Audit Log) records all management-plane (control-plane) operations on your Azure resources. It answers the questions: Who performed what action on which resource and when?
What the Activity Log Records
| Event Category | Examples |
|---|---|
| Administrative | Create VM, delete storage account, assign RBAC role |
| Service Health | Service incidents, planned maintenance events |
| Resource Health | Health status changes for your resources |
| Alert | Azure Monitor alert activations |
| Autoscale | Scale up/down events |
| Recommendation | Azure Advisor recommendations |
| Security | Microsoft Defender for Cloud alerts |
| Policy | Azure Policy evaluation events |
Activity Log Details
Each Activity Log entry includes:
- Timestamp — When the event occurred
- Caller — Who initiated the operation (user, service principal)
- Operation — What was done (Create, Delete, Update, Action)
- Status — Success, Failed, Started
- Resource — Which resource was affected
- Subscription — Which subscription
- Correlation ID — Links related events together
Retention and Export
| Destination | Retention | Use Case |
|---|---|---|
| Azure Portal | 90 days | Quick lookup and troubleshooting |
| Log Analytics | Configurable (30 days - 2 years) | KQL queries, correlation with other logs |
| Storage Account | Unlimited (you manage lifecycle) | Long-term archival for compliance |
| Event Hubs | Real-time streaming | Integration with SIEM or third-party tools |
Diagnostic Settings
Diagnostic Settings route platform metrics and resource logs from Azure services to one or more destinations:
| Destination | Purpose |
|---|---|
| Log Analytics workspace | Query and analyze with KQL, create dashboards |
| Storage Account | Long-term archival at low cost |
| Event Hub | Stream to external SIEM or analytics tools |
| Partner solution | Send to third-party monitoring tools |
Each Azure resource type has specific diagnostic categories that can be individually enabled. For example, a Storage Account might have categories for read, write, and delete operations.
Resource Health
Resource Health provides a personalized dashboard showing whether your specific Azure resources are experiencing problems:
| Status | Meaning |
|---|---|
| Available | No issues detected — resource is functioning normally |
| Unavailable | A platform or non-platform event has impacted the resource |
| Degraded | Resource performance is reduced |
| Unknown | No health information received for 10+ minutes |
Root Cause Analysis: When a resource is unavailable, Resource Health provides:
- Whether the issue is caused by Azure (platform event) or by your configuration
- Recommended actions to resolve the issue
- Links to relevant support resources
On the Exam: Activity Log records management operations (who, what, when). Diagnostic Settings route resource-specific metrics and logs. Resource Health shows the current status of individual resources. These are distinct but complementary monitoring capabilities.
How long are Azure Activity Log events retained by default in the Azure Portal?
What does the Azure Activity Log record?
Which monitoring feature routes platform metrics and logs to Log Analytics, Storage Accounts, or Event Hubs?