Missing ActivityLog categories in Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-312890%22%20slang%3D%22en-US%22%3EMissing%20ActivityLog%20categories%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-312890%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3Ewe've%20connected%20the%20Activity%20Log%20of%20multiple%20subscriptions%20to%20a%20central%20Log%20Analytics%20workspace%20using%20the%20Activity%20Log%20Analytics%20solution%20as%20described%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-activity-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-activity-logs%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20trying%20to%20create%20some%20alert%20rules%20based%20on%20the%20Log%20Analytics%20AzureActivity%20data%20for%20all%20of%20our%20subscriptions%20from%20a%20central%20place%2C%20but%20it%20seems%20that%20not%20all%20Activity%20Log%20events%20get%20forwarded%20to%20Log%20Analytics.%20We%20miss%20almost%20everything%20except%20the%20%22Administrative%22%20category%20of%20the%20Activity%20Logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20events%20for%20other%20categories%20like%20Resource%20Health%2C%20Security%20or%20Service%20Health%20in%20the%20Activity%20Log%20but%20these%20events%20are%20not%20available%20in%20Log%20Analytics.%20(Category%20reference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Fazure%2Fazure-monitor%2Fplatform%2Factivity-logs-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Fazure%2Fazure-monitor%2Fplatform%2Factivity-logs-overview%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20the%20expected%20behavior%20or%20are%20I%20missing%20something%3F%20How%20can%20we%20create%20cross%20subscription%20alert%20rules%20for%20these%20categories%20of%20the%20activity%20logs%20from%20an%20central%20place%3F%20I%20realy%20dont%20want%20to%20create%20duplicate%20alert%20rules%20for%20Activity%20Log%20events%20for%20each%20of%20our%20subscriptions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EAndreas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-312890%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActivityLog%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECategory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Regular Visitor

Hi all,

we've connected the Activity Log of multiple subscriptions to a central Log Analytics workspace using the Activity Log Analytics solution as described here https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs.

 

We are trying to create some alert rules based on the Log Analytics AzureActivity data for all of our subscriptions from a central place, but it seems that not all Activity Log events get forwarded to Log Analytics. We miss almost everything except the "Administrative" category of the Activity Logs.

 

We have events for other categories like Resource Health, Security or Service Health in the Activity Log but these events are not available in Log Analytics. (Category reference: https://docs.microsoft.com/de-de/azure/azure-monitor/platform/activity-logs-overview)

 

Is this the expected behavior or are I missing something? How can we create cross subscription alert rules for these categories of the activity logs from an central place? I realy dont want to create duplicate alert rules for Activity Log events for each of our subscriptions.

 

Thanks,
Andreas

0 Replies