Recently we announced the ability for you to export Azure audit logs data to storage account and event hub. You shared your feedback around having a richer experience for exploring audit logs and we are excited to announce the improved audit logs experience in Azure portal.
What is Azure audit logs?
Azure audit logs captures all write operations (PUT, POST, DELETE) performed on your resources. For example, you can use the audit logs to find an error when troubleshooting or to monitor how a user in your organization modified a resource. You can access the last 90 days of audit logs for free. If you need to retain a copy of audit logs data for a longer duration, you can choose the export option and route the data to your storage account. Additionally, you can also stream the data to your event hub.
Here are some of the new capabilities:
- Upfront filter experience, reducing horizontal scrolling
- Graph lookup for user/service principal information
- Quick Insights
- Queries – reuse commonly-used filters
- Pin queries to dashboard
- Unified results view
- Contextual summary information
- Download CSV files
Upfront filter experience, reducing horizontal scrolling
We are bringing the main filter experience upfront, without having to open new blades. We heard your feedback and issues around horizontal scrolling and we have avoided opening new blades unless it is absolutely necessary.
Graph lookup for user/service principal information
If you want to filter operations done by a specific user, you can search for that user directly in the filter experience. You don’t need to know the exact email address of the user – you can look up the user information. Behind the scenes, we perform the graph lookup from Azure Active Directory.
Graph lookup is not limited to users, but is applicable for service principals as well. If you have automated your scripts and deployments using service principals, you can now filter and view entries specifically performed by a specific service principal.
Quick Insights provides a way for you to get a glimpse of what is happening in your subscription(s) without having to set any filters.
By default, we provide the following insights for the selected subscriptions:
- Number of failed deployments
- Number of role assignments
- Number of errors
- Number of alerts fired
- Number of outage incidents
Clicking on any will directly fetch the results for that query and also autofill the query filters.
Queries – reuse commonly-used filters
You can now save your common filter patterns as queries. For example, you can create a query to show all errors in a specific resource group.
Next time you browse to audit logs, you can reuse one of our existing queries instead of setting the filters again.
Pin queries to dashboard
If you want to constantly monitor your queries, you can easily do that by pinning the queries to the dashboard!
Note that you can pin multiple queries and you can use the Azure dashboard as the single place to view everything related to monitoring, including audit log operations.
This way, you can monitor the operation count of your most common queries without even having to open the audit logs blade.
Unified results view
When you query, we show all the data together in one place. Note that we show service principal names in the caller info as well. Users can drill down an operation if it has other related operations.
You can click on a particular operation to view its summary. If you are interested to view the raw JSON data instead of the summary data, you can do that as well by clicking on the JSON tab.
Contextual summary info
We have contextual summary information for the following:
- Errors: When you click on an error, we automatically show the reason of failure in the summary.
- Role assignments: When you click on role assignments, we automatically show who you shared your resource within the summary.
Note that in the above screenshot, we do not show a user’s ‘PrincipalId’. Instead, we look up user information from Azure Active Directory and directly show the user information that is relevant in the current context. Similar to graph lookup, this is applicable for service principals as well.
Download CSV files
You can download the exact results you see in the portal by downloading the results as a CSV file.
What's coming up next
Moving forward, we are working to consolidate other aspects of monitoring experience including:
- Better ways to manage alerts
- Improved metrics experience
- Easy way to configure and view diagnostics logs
Give it a try and let us know your feedback!