SOLVED

Azure Activity Log Retention

%3CLINGO-SUB%20id%3D%22lingo-sub-1130266%22%20slang%3D%22en-US%22%3EAzure%20Activity%20Log%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130266%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20are%20exporting%20activity%20logs%20to%20a%20separate%20storage%20account%20based%20on%20the%20new%20method%20of%20selecting%20diagnostic%20settings%20(refer%20attached%20screenshot)%20however%20I%20don't%20see%20an%20option%20to%20setup%20retention.%20Does%20that%20mean%20activity%20logs%20will%20retain%20in%20storage%20account%20indefinitely%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAppreciate%20your%20response.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EJagadeesh%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130595%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20Log%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F532840%22%20target%3D%22_blank%22%3E%40Jagadt%3C%2FA%3E%2C%20Azure%20Blob%20Storage%20supports%20retention%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fblobs%2Fstorage-lifecycle-management-concepts%3Ftabs%3Dazure-portal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elifecycle%20policies%3C%2FA%3E%2C%20where%20you%20can%20specify%20a%20%22delete%20after%20X%20days%22%20policy%20for%20your%20blobs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHaving%20said%20that%2C%20despite%20not%20seeing%20any%20retention%20option%20when%20configuring%20Activity%20Log%20export%20to%20Azure%20Storage%2C%20you%20can%20implement%20your%20own%20policy%20in%20the%20Storage%20Account%20itself.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20that%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130607%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20Log%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130607%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20your%20response.%20Yes%20I%20agree%20with%20storage%20lifecycle%20policy%2C%20however%20we%20do%20have%20option%20to%20set%20up%20retention%20while%20exporting%20NSG%20flow%20logs%20(through%20Network%20watcher)%20to%20these%20storage%20account%20v2%20.%20This%20enabling%20us%20to%20see%20this%20retention%20policy%20rule%20automatically%20created%20under%20storage%20lifecyle%20policy.%20So%20not%20sure%20why%20we%20don't%20have%20such%20option%20while%20enabling%20retention%20at%20activity%20log%20level%20which%20would%20have%20created%20retention%20policy%20rule%20automatically%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20Question%3A%20I%20am%20enabling%20immutable%20storage%20policy%20by%20setting%20up%20lock%20time%20based%20retention%20policy%20for%20365%20days%20and%20then%20parallely%20I%20am%20enabling%20storage%20lifecycle%20policy%20having%20to%20delete%20blob%20after%20365%20days.%20Which%20one%20will%20take%20precedence%20or%20how%20does%20it%20work%3F%20Any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130625%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20Log%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130625%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F532840%22%20target%3D%22_blank%22%3E%40Jagadt%3C%2FA%3E%2C%20the%20storage%20retention%20configuration%20options%20between%20Activity%20Log%20and%20NSG%20Flow%20Logs%20are%20not%20consistent%2C%20as%20you%20stated.%20A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdiagnostic-settings-legacy%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Erecent%20document%3C%2FA%3E%20confirms%20that%20Activity%20Logs%20are%20retained%20forever%20in%20Storage%20Accounts.%20However%2C%20there%20might%20be%20some%20good%20reason%20for%20that.%20For%20example%2C%20NSG%20Flow%20Logs%20also%20had%20recently%2C%20during%20some%20weeks%2C%20no%20retention%20options%20available%2C%20until%20it%20became%20available%20again%20with%20storage%20lifecycle%20integration.%20So%20I%20believe%20that%20sooner%20or%20later%20the%20same%20will%20happen%20to%20Activity%20Log.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegarding%20the%20second%20question%2C%20immutable%20time-based%20locked%20policies%20will%20take%20precedence%20over%20lifecycle%20management%20policies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130627%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20Log%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130627%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20the%20clarification.%20Based%20on%20the%20consideration%20referred%20in%20the%20article%2C%20it%20says%20the%20below%20but%20can%20we%20apply%20lifetime%20policy%20to%20delete%20the%20blob%20based%20on%20the%20retention%20duration%2C%20for%20example%20delete%20blob%20after%20365%20days%3F%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20retention%20setting%20for%20collecting%20the%20Activity%20log%20to%20Azure%20storage%20has%20been%20removed%20meaning%20that%20data%20will%20be%20stored%20indefinitely%20until%20you%20remove%20it.%3C%2FLI%3E%3C%2FUL%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EJagadeesh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130628%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20Log%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130628%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F532840%22%20target%3D%22_blank%22%3E%40Jagadt%3C%2FA%3E%2C%26nbsp%3Byes%2C%20absolutely%2C%20you%20can%26nbsp%3B%3CSPAN%3Eapply%20lifetime%20policy%20to%20delete%20the%20blob%20based%20on%20the%20retention%20duration.%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130636%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20Log%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130636%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%20-%20Thanks%20a%20lot%20for%20your%20clarification%20%26amp%3B%20quick%20support%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All,

 

We are exporting activity logs to a separate storage account based on the new method of selecting diagnostic settings (refer attached screenshot) however I don't see an option to setup retention. Does that mean activity logs will retain in storage account indefinitely?

 

Appreciate your response.

 

Regards,

Jagadeesh

6 Replies

@Jagadt, Azure Blob Storage supports retention lifecycle policies, where you can specify a "delete after X days" policy for your blobs.

 

Having said that, despite not seeing any retention option when configuring Activity Log export to Azure Storage, you can implement your own policy in the Storage Account itself.

 

Hope that helps!

@hspinto - Thanks for your response. Yes I agree with storage lifecycle policy, however we do have option to set up retention while exporting NSG flow logs (through Network watcher) to these storage account v2 . This enabling us to see this retention policy rule automatically created under storage lifecyle policy. So not sure why we don't have such option while enabling retention at activity log level which would have created retention policy rule automatically??

 

Second Question: I am enabling immutable storage policy by setting up lock time based retention policy for 365 days and then parallely I am enabling storage lifecycle policy having to delete blob after 365 days. Which one will take precedence or how does it work? Any ideas?

best response confirmed by Jagadt (Occasional Contributor)
Solution

@Jagadt, the storage retention configuration options between Activity Log and NSG Flow Logs are not consistent, as you stated. A recent document confirms that Activity Logs are retained forever in Storage Accounts. However, there might be some good reason for that. For example, NSG Flow Logs also had recently, during some weeks, no retention options available, until it became available again with storage lifecycle integration. So I believe that sooner or later the same will happen to Activity Log.

 

Regarding the second question, immutable time-based locked policies will take precedence over lifecycle management policies.

@hspinto - Thanks for the clarification. Based on the consideration referred in the article, it says the below but can we apply lifetime policy to delete the blob based on the retention duration, for example delete blob after 365 days?

  • The retention setting for collecting the Activity log to Azure storage has been removed meaning that data will be stored indefinitely until you remove it.

Regards,

Jagadeesh

@Jagadt, yes, absolutely, you can apply lifetime policy to delete the blob based on the retention duration. 

@hspinto - Thanks a lot for your clarification & quick support