Enable Exporting Activity Logs for Azure Cloud Resources

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, under Settings, select Diagnostic settings to view the diagnostics settings available for each cloud resource provisioned within your Azure account.

04 From the Subscription filter box, select the Azure subscription that you want to examine.

05 Select the Azure cloud resource that you want to examine and check the diagnostics settings status available in the Diagnostics status column. If the diagnostics settings status is set to Disabled, activity logs are not exported for the selected Microsoft Azure cloud resource.

06 Repeat step no. 5 for each Azure cloud resource provisioned within the selected subscription.

07 Repeat steps no. 5 and 6 for each subscription created in your Microsoft Azure cloud account.

01 Run resource list command (Windows/macOS/Linux) with custom query filters to list the ID of each Azure cloud resource provisioned in the selected subscription:

az resource list
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
  --query '[*].id'

02 The command output should return the requested resource identifiers (IDs):

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/cc-web-storage-account"
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) using the ID of the cloud resource that you want to examine as the identifier parameter and custom query filters to describe the active diagnostics settings available for the specified resource:

az monitor diagnostic-settings list
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault"
  --query 'value'

04 The command output should return the requested configuration settings:

[]

05 Repeat steps no. 3 and 4 for each Azure cloud resource provisioned in the selected subscription.

06 Repeat step no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, under Settings, select Diagnostic settings to view the diagnostics settings available for each cloud resource created within your Azure account.

04 From the Subscription filter box, select the Azure subscription that you want to access.

05 Click on the name of the Azure cloud resource that you want to reconfigure and choose + Add diagnostic setting. A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a cloud resource, and one or more destinations that you would like to stream them to.

06 On the Diagnostic setting setup page, perform the following actions:

1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
2. In the Category details section, select the log(s) or metric(s) that you want to use.
3. In the Destination details section, select one or more destinations to send the logs. For example, choose Archive to a storage account to send the logs to an Azure storage account of your choice. The storage account needs to be in the same region as the resource being monitored if the resource is regional.
4. Choose Save to apply the changes.

07 Repeat steps no. 5 and 6 for each Azure cloud resource provisioned within the selected subscription.

08 Repeat steps no. 4 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a diagnostic setting for the specified Azure cloud resource. For example, the following command request creates a diagnostic setting named "cc-audit-diagnostic-setting" for an Azure Key Vault, that sends the collected logs to a storage account identified by the ID "abcd1234abcd1234abcd1234":

az monitor diagnostic-settings create
  --name "cc-audit-diagnostic-setting"
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault"
  --storage-account abcd1234abcd1234abcd1234
  --logs '[
    {
      "category": "AuditEvent",
      "enabled": true,
      "retentionPolicy": {
        "enabled": true,
        "days": 365
      }
    }
  ]'

02 The command output should return the metadata available for the new diagnostic setting:

{
  "eventHubAuthorizationRuleId": null,
  "eventHubName": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.keyvault/vaults/cc-production-vault/providers/microsoft.insights/diagnosticSettings/cc-audit-diagnostic-setting",
  "identity": null,
  "kind": null,
  "location": null,
  "logAnalyticsDestinationType": null,
  "logs": [
    {
      "category": "AuditEvent",
      "categoryGroup": null,
      "enabled": true,
      "retentionPolicy": {
        "days": 365,
        "enabled": true
      }
    }
  ],
  "metrics": [],
  "name": "cc-audit-diagnostic-setting",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "serviceBusRuleId": null,
  "storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcd1234abcd1234abcd1234",
  "tags": null,
  "type": "Microsoft.Insights/diagnosticSettings",
  "workspaceId": null
}

03 Repeat steps no. 1 and 2 for each Azure cloud resource provisioned in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.