
close
close
Chance to win $250 in Petri 2023 Audience Survey
In this post, I will explain how all actions in Azure are recorded, can be archived for long term retention, and searched.
Organizations require auditing of activity for all kinds of reasons. For some, there is no choice. They have a regulatory requirement to track all activity, no matter how big or small. Even without that legal need, having a log of who has done the different tasks can be very useful.
It is useful to understand who did what and when for assigning responsibility. Perhaps you need to know who deleted a critical resource. You may need to understand when an expensive resource was deployed. I have had a situation where a customer claimed that they did not deploy something that greatly increased costs and because of that, they should not be billed for it. A quick peek into the logs and I could prove that the person complaining was the actual person that was to blame for the expensive resource being deployed. I could even say when they did it. That was followed quickly by an, “Ah! I remember now …”
Having such an audit log can also be useful for troubleshooting. Maybe something stops working at a certain time. For example, maybe a SQL Server stops responding on the network at 16:42 on Tuesday. If we have a look into the logs for what was done just before that, maybe we will see a new Network Security Group rule being introduced that blocks the traffic. We can then question the person that the log identified as the culprit to find out why this new firewall rule was created. Then, we can decide if it should be undone or another solution should be found.
All activity in your Azure tenant or subscription can be found in the Activity Log. Open the navigation bar on the left, click More Services, and search for Activity Log.
Here you can find a history of up to 90 days for every action in your Azure tenant. Do not worry, we can keep more than 90 days activity if we need to.
The Azure Activity Log Is an Audit Trail of Actions [Image Credit: Aidan Finn]
Below I have filtered the activity log to look for actions to a virtual machine called vm-petri-02 in the rg-petri resource group. I can see that someone (I am innocent, I tell ya!) deleted a virtual machine and quickly recreated it. If you select the event and click JSON, you can find a lot of information about the specific event. Note the ability to save the results as a CSV file.
Searching for Azure Activities and Viewing the Details [Image Credit: Aidan Finn]
The Activity Log is useless if every administrator/operator signs in as the default administrator, for example: admin@tenant.onmicrosoft.com. All too often, almost always, this is what people seem to be doing in my experience. It is vital that this account only be used to add each administrator’s or operator’s own account. One way to do this is by having guest users come from their own tenant (Office 365), another tenant (Microsoft partners), or from a domain controller (via Azure AD Connect) to sign into Azure.
Azure will retain up to 90 days of an audit history in the Activity Log. Some organizations will need to keep this kind of history for years. Luckily, Azure makes it easy and cost effective to keep this history.
We can configure the Activity Log to export the audit trail to a storage account. I have configured a storage account as follows:
You could restrict access to this storage account by placing it into a secured resource group. I have tested this idea but you might set up a restricted access subscription in the same tenant and place the storage account here.
Configuring retention is refreshingly simple. Open Activity Log and click Export (at the top). Then you will configure it as follows:
Configuring Retention of Azure Audit Logs [Image Credit: Aidan Finn]
Exported Azure Audit Trail [Image Credit: Aidan Finn]
More in Microsoft Azure
Microsoft Introduces Fully-Managed Azure Load Testing Service for Developers
Feb 2, 2023 | Rabia Noureen
Azure Native New Relic Service Provides Full Stack Observability To Boost Digital Transformation
Jan 25, 2023 | Rabia Noureen
Microsoft to Roll Out EU Data Boundary Plan for Cloud Services on January 1
Dec 15, 2022 | Rabia Noureen
Most popular on petri