Doing a lot lately with extracting the activity logs, metric and diagnostic logs from Azure. I noticed the change made in December when going from “Export activity log” to the Diagnostic settings way, used for enablement of sending your diagnostic and metrics to an event-hub.
Choose export 
Legacy hub configuration 
New activity log experience 
New add diagnostic setting 
New Hub selection
The old configuration is only visible when you use the “Looking for the legacy experience?” bar. This is a minor inconvenience as I do most of the configurations through the Azure CLI. For testing, I Created a new PocActivityLog in the UI.
When looking with the Azure CLI I did not see any configured logs that used the new portal, only the old ones like; “mylogprofile”.
C:\Users\XXX> az monitor log-profiles list --subscription XXXX-XXXX-XXXX-XXX-XXX
[
{
"categories": [
"Delete"
],
"id": "/subscriptions/XXXX-XXXX-XXXX-XXX-XXXXX/providers/microsoft.insights/logprofiles/mylogprofile",
"identity": null,
"kind": null,
"location": null,
"locations": [
"westeurope"
],
"name": "mylogprofile",
"retentionPolicy": {
"days": 0,
"enabled": true
},
"serviceBusRuleId": "/subscriptions/XXXX-XXXX-XXXX-XXXX/resourceGroups/ProductTeam/providers/Microsoft.EventHub/namespaces/ffdfdsdfsdf/AuthorizationRules/RootManageSharedAccessKey",
"storageAccountId": null,
"tags": null,
"type": null
}
]Browsing through the resources.azure.com I could not find it either and only see the old “mylogprofile”.
Looking in the official documentation no solution can be found because it points you to the statements already used. So how to find and use the new exports. After trying some different things it occurred to me that the way it is working now is the same way as the diagnostic settings in any other resource. By querying this with the subscription as a resource I found my newly added settings “PocActivityLog”.
C:\Users\XXX> az monitor diagnostic-settings list --resource "/subscriptions/XXXX-XXX-XXXX-XXX-XXXX"
{
"value": [
{
"eventHubAuthorizationRuleId": "/subscriptions/XXXX-XXXX-XXXX-XXX-XXXX/resourceGroups/ProductTeam/providers/Microsoft.EventHub/namespaces/ffdfdsdfsdf/authorizationrules/RootManageSharedAccessKey",
"eventHubName": "test",
"id": "subscriptions/XXXX-XXX-XXXX-XXX-XXXX/providers/AzureResourceManager/diagnosticSettings/PocActivityLog",
"location": "global",
"logs": [
{
"category": "Administrative",
"enabled": true,
"retentionPolicy": null
}
],
"metrics": null,
"name": "PocActivityLog",
"storageAccountId": null,
"type": null,
"workspaceId": null
}
]
}An additional caveat is that if you want to retrieve the possible categories for a resource you would normally do this through az monitor diagnostic-settings categories list --resource /subscriptions/XXXX-XXXX-XXXX-XXXX-XXXX. This doesn’t work or never has worked. To get the categories for resources you are better off using the REST-API. This works only for resources and not for subscriptions. Running GET https://management.azure.com/{resourceUri}/providers/microsoft.insights/diagnosticSettingsCategories?api-version=2017-05-01-preview for subscriptions resolves into a status 400 bad request , to get the categories for subscriptions you need to:
C:\Users> az monitor activity-log list-categories --subscription XXX-XXX-XXX-XXX
[
{
"localizedValue": "Administrative",
"value": "Administrative"
},
{
"localizedValue": "Security",
"value": "Security"
},
{
"localizedValue": "Service Health",
"value": "ServiceHealth"
},
{
"localizedValue": "Alert",
"value": "Alert"
},
{
"localizedValue": "Recommendation",
"value": "Recommendation"
},
{
"localizedValue": "Policy",
"value": "Policy"
},
{
"localizedValue": "Autoscale",
"value": "Autoscale"
},
{
"localizedValue": "Resource Health",
"value": "ResourceHealth"
}
]To retrieve this from the REST-API you can use GET https://management.azure.com/providers/microsoft.insights/eventcategories?api-version=2015-04-01 To get a IEnumerable<LocalizableString>. This is all a bit confusing and needs some alignment to make it more sensible.
For now, I hope this little article saves somebody some time.
Erick
You must be logged in to post a comment.