Log Types in Azure: Which Log to Check for Which Problem
Azure produces four fundamentally different categories of log data. Each answers a different kind of question about what is happening in your environment. Knowing which log to consult — and why the others will not help — saves significant time during incident response and compliance work.
The four main log types
Before going into detail on each type, here is a summary of what they are for:
- Activity Logs: Who did what to Azure resources (control plane operations). Subscription-level.
- Resource Logs (Diagnostic Logs): What happened inside an Azure resource (data plane operations). Per-resource.
- Microsoft Entra ID Logs: Who signed in, what was changed in the directory. Tenant-level.
- Platform Metrics: Numeric performance data for Azure resources (CPU, request count, latency). Per-resource.
All four types flow through Azure Monitor, which is the umbrella platform that collects, routes, and queries log and metric data. Azure Monitor provides the diagnostic settings UI, the Log Analytics query interface, and the alert rule framework for all four log types.
Comparison table
| Log Type | What it captures | Default retention | Default destination | Common use case |
|---|---|---|---|---|
| Activity Logs | Control plane operations: resource create/delete/modify, RBAC changes, policy assignments — performed by any principal | 90 days (in Azure Monitor activity log store) | Azure Monitor (built-in, no config needed) | “Who deleted this resource group?” / “Who added this role assignment?” |
| Resource Logs (Diagnostic Logs) | Data plane operations inside a specific resource: Key Vault secret reads, Storage blob access, SQL query execution, App Service HTTP requests, Function invocations | None — not collected unless you configure a diagnostic setting | Not collected by default; must be sent to Log Analytics, Storage Account, or Event Hub | ”Who read this secret from Key Vault?” / “Which HTTP requests to my app are failing?” |
| Entra ID Logs (Sign-in & Audit) | Sign-in events (interactive, non-interactive, service principal), user/group/app changes in the directory, conditional access evaluations, MFA results | 7 days (free tier) / 30 days (P1/P2) in Entra ID portal | Entra ID portal (built-in); must export to Log Analytics for longer retention or KQL queries | ”Did this user log in from an unusual country?” / “Who was added to this admin role in Entra ID?” |
| Platform Metrics | Numeric time-series data: CPU percentage, memory usage, request count, latency percentiles, storage capacity, network bytes in/out | 93 days in Azure Monitor Metrics store | Azure Monitor Metrics (built-in, no config needed) | “Is my VM running out of CPU?” / “How many requests per second is my App Service handling?” |
Activity Logs in detail
Activity logs capture the what, who, and when of control plane actions. Every subscription has them enabled automatically. They are the default starting point for investigating “something changed in my subscription.”
The Log Analytics table name is AzureActivity. A basic KQL query to see recent administrative events:
AzureActivity
| where TimeGenerated > ago(24h)
| where CategoryValue == "Administrative"
| project TimeGenerated, Caller, OperationNameValue, ActivityStatusValue, ResourceGroup
| order by TimeGenerated descKey limitation: activity logs only show control plane. If you need to know who read a blob from a storage account, activity logs will not tell you — that is a resource log. For full details on querying activity logs, see Azure Activity Logs.
Resource Logs (Diagnostic Logs) in detail
Resource logs are the most varied and most important category for application security. Every Azure resource type produces different resource logs, and they are not collected by default — you must configure a diagnostic setting for each resource.
Examples of what resource logs capture per service:
- Azure Key Vault: Every secret read, write, delete, and list operation — including who called it (the managed identity or user principal), when, and what status was returned. Table:
AzureDiagnosticsorAzureKeyVaultAuditEvent. - Azure Storage: Every blob read, write, delete operation with the authenticated identity, storage operation type, and response code. Table:
StorageBlobLogs. - Azure App Service: HTTP access logs (request method, URL, status code, response time). Table:
AppServiceHTTPLogs. - Azure SQL Database: Query execution, login attempts, failed authentication. Table:
AzureDiagnosticswith categorySQLSecurityAuditEvents. - Azure Firewall: Allowed and denied network flow logs. Table:
AzureDiagnosticsor the newerAzureFirewallNetworkRule/AzureFirewallApplicationRule.
Enabling resource logs via CLI
# Enable resource logs for a Key Vault, sending to Log Analytics
VAULT_ID=$(az keyvault show --name my-vault --resource-group my-rg --query id --output tsv)
WORKSPACE_ID=$(az monitor log-analytics workspace show \
--workspace-name my-workspace \
--resource-group my-rg \
--query id \
--output tsv)
az monitor diagnostic-settings create \
--name "keyvault-diagnostics" \
--resource "$VAULT_ID" \
--workspace "$WORKSPACE_ID" \
--logs '[
{"category": "AuditEvent", "enabled": true}
]' \
--metrics '[
{"category": "AllMetrics", "enabled": true}
]'Each Azure resource type has different log categories. What is AuditEvent for Key Vault is different from AppServiceHTTPLogs for App Service. Run az monitor diagnostic-settings categories list —resource <resource-id> to see what log categories are available for a specific resource.
Microsoft Entra ID Logs in detail
Entra ID logs are separate from Azure resource logs and activity logs. They live at the tenant level and cover identity operations — not resource management, but who is authenticating and what is changing in the directory.
There are two main categories:
- Sign-in logs: Every authentication event — interactive user logins, non-interactive logins (background token refreshes), service principal sign-ins. Includes IP address, location, device, MFA result, conditional access policy result, and risk level.
- Audit logs: Every change to directory objects — user creation/deletion, group membership changes, app registration updates, role assignments within Entra ID (not Azure RBAC), password resets, MFA registration.
By default these are visible in the Entra ID portal for 7 days (free) or 30 days (P1/P2). Export to Log Analytics for longer retention and KQL queries:
# Export Entra ID logs to Log Analytics
# Note: this is done through the Entra ID Diagnostic Settings,
# not the standard az monitor diagnostic-settings command.
# The resource ID for Entra ID diagnostic settings is:
ENTRA_RESOURCE_ID="/tenants/$(az account show --query tenantId --output tsv)/providers/microsoft.aadiam"
az monitor diagnostic-settings create \
--name "entra-id-logs" \
--resource "$ENTRA_RESOURCE_ID" \
--workspace "$WORKSPACE_ID" \
--logs '[
{"category": "SignInLogs", "enabled": true},
{"category": "AuditLogs", "enabled": true},
{"category": "NonInteractiveUserSignInLogs", "enabled": true},
{"category": "ServicePrincipalSignInLogs", "enabled": true}
]'Once in Log Analytics, sign-in logs appear in the SigninLogs table and audit logs in the AuditLogs table. These are essential for detecting suspicious sign-in patterns, which is covered in detail on the detecting suspicious activity page.
Platform Metrics in detail
Metrics are numeric, time-series measurements collected automatically for every Azure resource. Unlike logs (text/JSON events), metrics are aggregated numbers sampled at regular intervals (typically every minute). They are stored in the Azure Monitor Metrics store for 93 days and do not require any diagnostic setting to collect.
Common metric examples:
- Virtual Machines: CPU percentage, available memory bytes, disk read/write operations per second, network in/out bytes.
- App Service: Request count, average response time, HTTP 4xx/5xx error count, CPU time.
- Azure SQL: DTU consumption, storage percentage, connection count, deadlock count.
- Key Vault: Service API hit count, latency, availability.
Metrics are primarily used for performance monitoring and alert thresholds. They are less useful for security investigations (activity logs and resource logs are better there) but essential for capacity planning and SLO tracking.
You can send metrics to Log Analytics to combine them with log data in KQL queries:
# Check available metrics for a resource
az monitor metrics list-definitions \
--resource "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/my-rg/providers/Microsoft.Web/sites/my-app" \
--query "[].{Name:name.value, DisplayName:name.localizedValue}" \
--output tableWhere logs can go: Log Analytics, Storage, and Event Hub
All four log types can be sent to one or more destinations simultaneously:
- Log Analytics workspace: The best choice for interactive investigation, KQL queries, and alert rules. Slightly higher cost than storage. Data is searchable immediately after ingestion.
- Azure Storage Account: The cheapest option for long-term archival. Data is stored as JSON blobs. Not queryable interactively — you must download and parse the files. Good for compliance retention requirements where the logs must be preserved but are rarely accessed.
- Azure Event Hub: For streaming logs to external systems — SIEM tools like Splunk, Microsoft Sentinel (though Sentinel has direct connectors), or custom log processing pipelines. Provides a real-time stream rather than a queryable store.
For most teams, the right setup is: Log Analytics for the last 30-90 days of active investigation data, plus a Storage Account for 1-3 years of archival. You can configure both destinations in a single diagnostic setting.
Quick reference: which log to check for each problem
- ”Who created/deleted/modified this Azure resource?” → Activity Log (
AzureActivitytable) - “Who was granted a role on this subscription?” → Activity Log, filter on
Microsoft.Authorization/roleAssignments/write - ”Who read this Key Vault secret?” → Key Vault Resource Log (
AzureKeyVaultAuditEventorAzureDiagnostics) - “Why is my App Service returning 500 errors?” → App Service Resource Logs (
AppServiceHTTPLogs,AppServiceConsoleLogs) - “Did this user log in from a new country?” → Entra ID Sign-in Logs (
SigninLogstable) - “Who was added to Global Administrator in Entra ID?” → Entra ID Audit Logs (
AuditLogstable) - “Why is my VM CPU at 100%?” → Platform Metrics (Azure Monitor Metrics, not logs)
- “Did anyone access my storage blobs without authorization?” → Storage Resource Logs (
StorageBlobLogs) - “Which network flows were blocked by my firewall?” → Azure Firewall Resource Logs (
AzureDiagnosticsor firewall-specific tables)
Common mistakes with Azure logging
- Assuming resource logs are on by default. Activity logs and metrics are collected automatically. Resource (diagnostic) logs for individual services are not. Many teams discover during an incident that the logs they need were never being collected. Enforce diagnostic settings across your subscriptions using Azure Policy with the
deployIfNotExistseffect. - Looking in the wrong log type. The most common mistake is checking activity logs to find out who read a secret, when that information is in the Key Vault resource logs. Use the quick reference above to pick the right log type before spending time in the wrong one.
- Sending all logs to Log Analytics without filtering. Azure Firewall, for example, can generate millions of log entries per hour. Sending all of them to Log Analytics without sampling or filtering can result in very high ingestion costs. Use data collection rules to filter to the specific log categories and fields you actually need.
- Not exporting Entra ID logs to Log Analytics. The default 7-day or 30-day retention in the Entra ID portal is not enough for most security investigations. By the time an incident is discovered and investigated, the relevant sign-in events may be gone. Export to Log Analytics from day one.
Summary
- Four log types: Activity Logs (control plane), Resource Logs (data plane, per-service), Entra ID Logs (identity), Platform Metrics (numeric performance data).
- Activity Logs and Platform Metrics are collected automatically; Resource Logs and Entra ID log export require diagnostic settings.
- Activity Logs default retention is 90 days; Entra ID logs 7-30 days; Platform Metrics 93 days; Resource Logs have no retention unless exported.
- Log Analytics is the best destination for interactive investigation; Storage is cheapest for archival; Event Hub is for external SIEM integration.
- Use the quick reference table to select the right log type before starting an investigation.
- Enforce resource log collection using Azure Policy with deployIfNotExists to avoid gaps during incidents.
Frequently asked questions
What is the difference between diagnostic logs and resource logs?
"Resource logs" is the current Microsoft term for what was previously called "diagnostic logs". The names are used interchangeably in documentation, and the portal still shows "Diagnostic settings" as the configuration mechanism. Both terms refer to the same thing: logs produced by individual Azure resources about their own operations (requests received, errors returned, data accessed). The name change happened around 2020 but the older term persists widely.
Do I pay for Log Analytics storage?
Yes. Log Analytics has two cost components: data ingestion (per GB ingested) and data retention (free for the first 31 days, then per GB per month after that, up to 730 days). The first 5 GB of ingestion per billing account per month is free. For high-volume environments, costs can be significant — use data collection rules to filter what gets sent to Log Analytics and send cold/archival data to a cheaper Storage Account instead.
How do I get all four log types into one place for correlation?
Send everything to the same Log Analytics workspace. Activity logs go there via a subscription-level diagnostic setting. Resource logs go there via per-resource diagnostic settings (or via Azure Policy to enforce it at scale). Entra ID audit and sign-in logs go there via the Entra ID Diagnostic Settings blade. Platform metrics can be sent there using metric diagnostic settings. Once all four are in the workspace, you can write KQL queries that join events across all log types using the correlation ID or resource ID fields.