Query activity log in Azure Monitor REST API

 

Updated: September 26, 2016

Request

See Common parameters and headers for headers and parameters that are used by all requests related to events.

Method	Request URI
GET	https://management.azure.com/subscriptions/{subscription-id}/providers/microsoft.insights/eventtypes/management/values?api-version={api-version}&$filter={filter-expression}&$select={comma-separated-property-names}

Optionally set the Accept-Encoding header to gzip, deflate, which returns the response that is compressed.

Use {filter-expression} to reduce the set of data that you want to collect. This $filter is very restricted and allows only the following patterns. No other syntax is allowed.

• List events for a resource group

  $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceGroupName eq '<ResourceGroupName>'
  

  Example:

  $filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation' and resourceGroupName eq 'CloudLab'
  

• List events for a resource

  $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceUri eq '<ResourceURI>'
  

  Example:

  $filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation' and resourceUri eq '/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourcegroups/CloudLab/providers/Microsoft.Web/sites/mytestweb004'
  

• List events for an Azure subscription

  $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation'
  

  Example:

  $filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation'
  

• List events for an Azure resource provider

  $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceProvider eq '<ResourceProviderName>'
  

  Example:

  $filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation' and resourceProvider eq 'Microsoft.Web' 
  

• List events for a correlation Id

  api-version=2014-04-01&$filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and eventChannels eq 'Admin, Operation' and correlationId eq '<CorrelationID>' 
  

  Example:

  api-version=2014-04-01&$filter=eventTimestamp ge '2014-12-29T22:00:37Z' and eventTimestamp le '2014-12-29T23:36:37Z' and eventChannels eq 'Admin, Operation'  and correlationId eq  '07c85493-5e87-4efd-9200-0c64d904d878' 
  

Use the $select to fetch events with only the following properties:

• authorization

• channels

• claims

• correlationId

• description

• eventDataId

• eventName

• eventSource

• eventTimestamp

• httpRequest

• level

• operationId

• operationName

• properties

• resourceGroupName

• resourceProviderName

• resourceUri

• status

• submissionTimestamp

• subStatus

• subscriptionId

Response

Status code: 200

JSON

{
  "value": [ {
    "authorization": {
      "action": "microsoft.support/supporttickets/write",
      "role": "Subscription Admin",
      "scope": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841"
    },
    "caller": "admin@contoso.com",
    "channels": "Operation",
    "claims": {
      "aud": "https://management.core.windows.net/",
      "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
      "iat": "1421876371",
      "nbf": "1421876371",
      "exp": "1421880271",
      "ver": "1.0",
      "http://schemas.microsoft.com/identity/claims/tenantid": "1e8d8218-c5e7-4578-9acc-9abbd5d23315 ",
      "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
      "http://schemas.microsoft.com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "admin@contoso.com",
      "puid": "20030000801A118C",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Smith",
      "name": "John Smith",
      "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": " admin@contoso.com",
      "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c",
      "appidacr": "2",
      "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
      "http://schemas.microsoft.com/claims/authnclassreference": "1"
    },
    "correlationId": "1e121103-0ba6-4300-ac9d-952bb5d0c80f",
    "description": "",
    "eventDataId": "44ade6b4-3813-45e6-ae27-7420a95fa2f8",
    "eventName": {
      "value": "EndRequest",
      "localizedValue": "End request"
    },
    "eventSource": {
      "value": "Microsoft.Resources",
      "localizedValue": "Microsoft Resources"
    },
    "httpRequest": {
      "clientRequestId": "27003b25-91d3-418f-8eb1-29e537dcb249",
      "clientIpAddress": "192.168.35.115",
      "method": "PUT"
    },
    "id": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841/events/44ade6b4-3813-45e6-ae27-7420a95fa2f8/ticks/635574752669792776",
    "level": "Informational",
    "resourceGroupName": "MSSupportGroup",
    "resourceProviderName": {
      "value": "microsoft.support",
      "localizedValue": "microsoft.support"
    },
    "resourceUri": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
    "operationId": "1e121103-0ba6-4300-ac9d-952bb5d0c80f",
    "operationName": {
      "value": "microsoft.support/supporttickets/write",
      "localizedValue": "microsoft.support/supporttickets/write"
    },
    "properties": {
      "statusCode": "Created"
    },
    "status": {
      "value": "Succeeded",
      "localizedValue": "Succeeded"
    },
    "subStatus": {
      "value": "Created",
      "localizedValue": "Created (HTTP Status Code: 201)"
    },
    "eventTimestamp": "2015-01-21T22:14:26.9792776Z",
    "submissionTimestamp": "2015-01-21T22:14:39.9936304Z",
    "subscriptionId": "089bd33f-d4ec-47fe-8ba5-0753aa5c5b33"
  } ],
"nextLink": "https://management.azure.com/########-####-####-####-############$skiptoken=######"
} 

Element Name	Description
authorization	Captures the RBAC properties of the event. These usually include the “action”, “role” and the “scope”
caller	Is the email address of the user who has performed the operation, the UPN claim or SPN claim based on availability.
channels	Is one of the following values: “Admin”, “Operation”
correlationId	Is usually a GUID in the string format. Events with that belong to the same uber action usually share the same correlationId.
description	a static text describing an event
eventDataId	is the unique identifier of an event
eventSource	is the name of the Azure service or infrastructure that has generated this event
httpRequest	Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method e.g. PUT).
level	is one of the following value: “Critical”, “Error”, “Warning”, “Informational” and “Verbose”
resourceGroupName	Is resource-group-name of the impacted resource.
resourceProviderName	Is the resource provider of the impacted resource
resourceUri	Is the resource id URI that uniquely identifies the resource.
operationId	is usually a GUID shared among the events corresponding to single operation
operationName	Is the name of the operation
properties	Is a set of <Key, Value> pairs (i.e. Dictionary<String, String>) that includes details about the event.
status	Is a string describing the status of the operation. Here are some of the common values for status: Started In Progress Succeeded Failed Active Resolved
subStatus	Usually includes the HTTP status code of the corresponding REST call. But it could also include other strings describing a substatus. Here a few examples of common substatus values: OK (HTTP Status Code: 200) Created (HTTP Status Code: 201) Accepted (HTTP Status Code: 202) No Content (HTTP Status Code: 204) Bad Request (HTTP Status Code: 400) Not Found (HTTP Status Code: 404) Conflict (HTTP Status Code: 409) Internal Server Error (HTTP Status Code: 500) Service Unavailable (HTTP Status Code:503) Gateway Timeout (HTTP Status Code: 504)
eventTimestamp	Is the timestamp of when the event was generated by the Azure service processing the request corresponding the event
submissionTimestamp	Is the timestamp of when the event became available for querying via this API.
subscriptionId	Is the Azure Subscription GUID.
nextLink	A continuation token you can use to fetch the next set of results.