tenant_activity_logs
Creates, updates, deletes, gets or lists a tenant_activity_logs resource.
Overview
| Name | tenant_activity_logs |
| Type | Resource |
| Id | azure.monitor.tenant_activity_logs |
Fields
The following fields are returned by SELECT queries:
- list
Successful request to get a page of events in the tenant activity logs
| Name | Datatype | Description |
|---|---|---|
id | string | the Id of this event as required by ARM for RBAC. It contains the EventDataID and a timestamp information. |
authorization | object | The sender authorization information. |
caller | string | the email address of the user who has performed the operation, the UPN claim or SPN claim based on availability. |
category | object | The localizable string class. |
claims | object | key value pairs to identify ARM permissions. |
correlationId | string | the correlation Id, usually a GUID in the string format. The correlation Id is shared among the events that belong to the same uber operation. |
description | string | the description of the event. |
eventDataId | string | the event data Id. This is a unique identifier for an event. |
eventName | object | The localizable string class. |
eventTimestamp | string (date-time) | the timestamp of when the event was generated by the Azure service processing the request corresponding the event. It in ISO 8601 format. |
httpRequest | object | the HTTP request info. Usually includes the 'clientRequestId', 'clientIpAddress' (IP address of the user who initiated the event) and 'method' (HTTP method e.g. PUT). |
level | string | the event level |
operationId | string | It is usually a GUID shared among the events corresponding to single operation. This value should not be confused with EventName. |
operationName | object | The localizable string class. |
properties | object | the set of <Key, Value> pairs (usually a Dictionary<String, String>) that includes details about the event. |
resourceGroupName | string | the resource group name of the impacted resource. |
resourceId | string | the resource uri that uniquely identifies the resource that caused this event. |
resourceProviderName | object | The localizable string class. |
resourceType | object | The localizable string class. |
status | object | The localizable string class. |
subStatus | object | The localizable string class. |
submissionTimestamp | string (date-time) | the timestamp of when the event became available for querying via this API. It is in ISO 8601 format. This value should not be confused eventTimestamp. As there might be a delay between the occurrence time of the event, and the time that the event is submitted to the Azure logging infrastructure. |
subscriptionId | string | the Azure subscription Id usually a GUID. |
tenantId | string | the Azure tenant Id |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list | select | $filter, $select | Gets the Activity Logs for the Tenant. Everything that is applicable to the API to get the Activity Logs for the subscription is applicable to this API (the parameters, $filter, etc.). One thing to point out here is that this API does not retrieve the logs at the individual subscription of the tenant but only surfaces the logs that were generated at the tenant level. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
$filter | string | Reduces the set of data collected. The $filter is very restricted and allows only the following patterns. - List events for a resource group: $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceGroupName eq '<ResourceGroupName>'. - List events for resource: $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceUri eq '<ResourceURI>'. - List events for a subscription: $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation'. - List events for a resource provider: $filter=eventTimestamp ge '<Start Time>' and eventTimestamp le '<End Time>' and eventChannels eq 'Admin, Operation' and resourceProvider eq '<ResourceProviderName>'. - List events for a correlation Id: api-version=2014-04-01&$filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and eventChannels eq 'Admin, Operation' and correlationId eq '<CorrelationID>'. NOTE: No other syntax is allowed. |
$select | string | Used to fetch events with only the given properties. The $select argument is a comma separated list of property names to be returned. Possible values are: authorization, claims, correlationId, description, eventDataId, eventName, eventTimestamp, httpRequest, level, operationId, operationName, properties, resourceGroupName, resourceProviderName, resourceId, status, submissionTimestamp, subStatus, subscriptionId |
SELECT examples
- list
Gets the Activity Logs for the Tenant.
Everything that is applicable to the API to get the Activity Logs for the subscription is applicable to this API (the parameters, $filter, etc.).
One thing to point out here is that this API does not retrieve the logs at the individual subscription of the tenant but only surfaces the logs that were generated at the tenant level.
SELECT
id,
authorization,
caller,
category,
claims,
correlationId,
description,
eventDataId,
eventName,
eventTimestamp,
httpRequest,
level,
operationId,
operationName,
properties,
resourceGroupName,
resourceId,
resourceProviderName,
resourceType,
status,
subStatus,
submissionTimestamp,
subscriptionId,
tenantId
FROM azure.monitor.tenant_activity_logs
WHERE $filter = '{{ $filter }}'
AND $select = '{{ $select }}'
;