I have been asked many times how can I find out who created /deleted /modified this Azure resource. Usually I say if you are lucky, it might be show you in the Activity Log. You are never lucky it seems. Here comes Log Analytics to the rescue. In this blog post i am going to show you how to link your Azure Activity Log to Log Analytics.
Lets link up
In the Azure portal navigate to the Log Analytics Workspace you want the Azure Activity Logs to go to. When you are in there, click on Azure Activity Log on the left. You may have to scroll down. It’s under the heading Workspace data Sources.
Here you will see a list of the subscriptions you have.
Click the subscription you want to add to this workspace and then click Connect on the new blade. Once connected click the X to close the blade.
Lets do some querying
In the workspace blade click on Logs.
Now we can use a bit of KQL to find out what has happened in a resource group.
This will only show you events from after you have linked the subscription.
Here is an example of a query to find all events for a resource group called domain-controller.
| where ResourceGroup == "domain-controller"
You will see something like the above. You can click on each line to find out more information about the entry.
You can create some powerful queries using KQL to find out what and when something happened to your Azure resources.
Have a go and see what you can come up with. If you have any questions reach out in the usual ways.