Query activity log in Azure Monitor REST API
Updated: September 26, 2016
See Common parameters and headers for headers and parameters that are used by all requests related to events.
Method | Request URI |
|---|---|
GET | https://management.azure.com/subscriptions/{subscription-id}/providers/microsoft.insights/eventtypes/management/values?api-version={api-version}&$filter={filter-expression}&$select={comma-separated-property-names} |
Optionally set the Accept-Encoding header to gzip, deflate, which returns the response that is compressed.
Use {filter-expression} to reduce the set of data that you want to collect. This $filter is very restricted and allows only the following patterns. No other syntax is allowed.
List events for a resource group
$filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceGroupName eq '<ResourceGroupName>'
Example:
$filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation' and resourceGroupName eq 'CloudLab'
List events for a resource
$filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceUri eq '<ResourceURI>'
Example:
$filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation' and resourceUri eq '/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourcegroups/CloudLab/providers/Microsoft.Web/sites/mytestweb004'
List events for an Azure subscription
$filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation'
Example:
$filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation'
List events for an Azure resource provider
$filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceProvider eq '<ResourceProviderName>'
Example:
$filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation' and resourceProvider eq 'Microsoft.Web'
List events for a correlation Id
api-version=2014-04-01&$filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and eventChannels eq 'Admin, Operation' and correlationId eq '<CorrelationID>'
Example:
api-version=2014-04-01&$filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation' and correlationId eq '07c85493-5e87-4efd-9200-0c64d904d878'
Use the $select to fetch events with only the following properties:
authorization
channels
claims
correlationId
description
eventDataId
eventName
eventSource
eventTimestamp
httpRequest
level
operationId
operationName
properties
resourceGroupName
resourceProviderName
resourceUri
status
submissionTimestamp
subStatus
subscriptionId
Status code: 200
{
"value": [ {
"authorization": {
"action": "microsoft.support/supporttickets/write",
"role": "Subscription Admin",
"scope": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841"
},
"caller": "admin@contoso.com",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"iat": "1421876371",
"nbf": "1421876371",
"exp": "1421880271",
"ver": "1.0",
"http://schemas.microsoft.com/identity/claims/tenantid": "1e8d8218-c5e7-4578-9acc-9abbd5d23315 ",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "admin@contoso.com",
"puid": "20030000801A118C",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Smith",
"name": "John Smith",
"groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": " admin@contoso.com",
"appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c",
"appidacr": "2",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.microsoft.com/claims/authnclassreference": "1"
},
"correlationId": "1e121103-0ba6-4300-ac9d-952bb5d0c80f",
"description": "",
"eventDataId": "44ade6b4-3813-45e6-ae27-7420a95fa2f8",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"eventSource": {
"value": "Microsoft.Resources",
"localizedValue": "Microsoft Resources"
},
"httpRequest": {
"clientRequestId": "27003b25-91d3-418f-8eb1-29e537dcb249",
"clientIpAddress": "192.168.35.115",
"method": "PUT"
},
"id": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841/events/44ade6b4-3813-45e6-ae27-7420a95fa2f8/ticks/635574752669792776",
"level": "Informational",
"resourceGroupName": "MSSupportGroup",
"resourceProviderName": {
"value": "microsoft.support",
"localizedValue": "microsoft.support"
},
"resourceUri": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
"operationId": "1e121103-0ba6-4300-ac9d-952bb5d0c80f",
"operationName": {
"value": "microsoft.support/supporttickets/write",
"localizedValue": "microsoft.support/supporttickets/write"
},
"properties": {
"statusCode": "Created"
},
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Created",
"localizedValue": "Created (HTTP Status Code: 201)"
},
"eventTimestamp": "2015-01-21T22:14:26.9792776Z",
"submissionTimestamp": "2015-01-21T22:14:39.9936304Z",
"subscriptionId": "089bd33f-d4ec-47fe-8ba5-0753aa5c5b33"
} ],
"nextLink": "https://management.azure.com/########-####-####-####-############$skiptoken=######"
}
Element Name | Description |
authorization | Captures the RBAC properties of the event. These usually include the “action”, “role” and the “scope” |
caller | Is the email address of the user who has performed the operation, the UPN claim or SPN claim based on availability. |
channels | Is one of the following values: “Admin”, “Operation” |
correlationId | Is usually a GUID in the string format. Events with that belong to the same uber action usually share the same correlationId. |
description | a static text describing an event |
eventDataId | is the unique identifier of an event |
eventSource | is the name of the Azure service or infrastructure that has generated this event |
httpRequest | Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method e.g. PUT). |
level | is one of the following value: “Critical”, “Error”, “Warning”, “Informational” and “Verbose” |
resourceGroupName | Is resource-group-name of the impacted resource. |
resourceProviderName | Is the resource provider of the impacted resource |
resourceUri | Is the resource id URI that uniquely identifies the resource. |
operationId | is usually a GUID shared among the events corresponding to single operation |
operationName | Is the name of the operation |
properties | Is a set of <Key, Value> pairs (i.e. Dictionary<String, String>) that includes details about the event. |
status | Is a string describing the status of the operation. Here are some of the common values for status:
|
subStatus | Usually includes the HTTP status code of the corresponding REST call. But it could also include other strings describing a substatus. Here a few examples of common substatus values:
|
eventTimestamp | Is the timestamp of when the event was generated by the Azure service processing the request corresponding the event |
submissionTimestamp | Is the timestamp of when the event became available for querying via this API. |
subscriptionId | Is the Azure Subscription GUID. |
nextLink | A continuation token you can use to fetch the next set of results. |