locked
Azure Portal Logs RRS feed

  • Question

  • Hello,

    I wanted to inquire if Azure has the functionality to log Azure administrator changes?  I'm basically looking for the same type of functionality that Amazon Web Services (AWS) CloudTrail provides.  Once set up, I can navigate and see who logged in and what they did while logged in (changes, deletes, creations) inside the tenant.

    Is this available in Azure and, if so, where can I go to enable it?

    Thanks,

    Eric R Post

    Wednesday, April 1, 2015 6:08 PM

Answers

  • Hi Eric,

    You may need to call REST API to get the subscription operations logged with in the specified time frame. I suggest you to check this link for details.

    https://msdn.microsoft.com/en-us/library/azure/gg715318.aspx

    Onto the left pane you have multiple topics describing the list of operations carried out using REST API function.

    Please check for the appropriate query that you have been looking for.

    Hope this helps you.

    Girish Prajwal

    • Marked as answer by Sowmya K R Tuesday, April 14, 2015 10:56 AM
    Friday, April 10, 2015 8:20 PM

All replies

  • Hi

    Yes it has logs in Both Application level and Service/Website level, and you can set them both to Verbose, Information, Warning or Errors.

    And for the place it dumps the logs, you can chose to put them in Azure Table storage, Blob storage or Disk.

    Regards

    Aram

    Thursday, April 2, 2015 3:24 AM
  • Thank you for the response, Aram.  Where can I go to configure the logging?  Can I see things such as when someone has logged into our Azure instance?  

    Also, is it possible to send the logs to a logging solution?  Like using Syslog to send them to a SIEM?

    Eric

    Thursday, April 2, 2015 12:44 PM
  • Hi Girish,

    I don't think I am conveying myself.  The links above relate to website and application logs.  I don't need those types of logs.  As I initially stated, I am looking for logging that is analogous to CloudTrail in Amazon Web Services (AWS).

    For example, does Azure have the capability to log the following actions an Azure user takes:

    - An Azure Virtual Network is Created/Deleted/Modified

    - An Azure Virtual Machine is Powered On/Off

    - An Azure Virtual Machine is Created/Deleted

    Please let me know if that is possible or not.  Your help is greatly appreciated.

    Thank you,

    Eric


    Eric R Post

    Thursday, April 9, 2015 7:16 PM
  • Hi,

    Thank you for the detailed information about the portal logs on what you are looking for.

    On the Azure Portal (http://manage.windowsazure.com) go to Management Services - Select the subscription, date and time according to your requirement with the Service you need the logs. It will give you the complete details.

    Let us know if you are looking for something else.

    Girish Prajwal

    Friday, April 10, 2015 12:53 PM
  • Thank you for the quick response, Girish.  Those types of logs (under Operation Logs) are exactly what I'm looking for.  I have a couple more questions please:

    - Is it possible to have those sent to a different location?  As an example, is there syslog functionality that I could enable to get those logs to a syslog server or a Security Incident/Event Manager (SIEM)?

    - Is it possible to create alerts (email or text, for example) for those alerts found in the Operation Log?  As an example, can I be alerted when someone creates/deletes/modifies a Gateway, Virtual Machine, Virtual Network, etc.?

    Again, thank you for your help.  I'm trying to configure Azure with the best functionality for our enterprise and appreciate your input.


    Eric R Post

    Friday, April 10, 2015 3:51 PM
  • Hi,

    I am glad that your previous issue was resolved.

    Here is my suggestion for the question you asked.

    - Is it possible to have those sent to a different location?  As an example, is there syslog functionality that I could enable to get those logs to a syslog server or a Security Incident/Event Manager (SIEM)?

    I didn't understand it correctly. To my understanding, you want to move the syslogs to a different location ( when you say location, is it region specific or within azure VM's).

    - Is it possible to create alerts (email or text, for example) for those alerts found in the Operation Log?  As an example, can I be alerted when someone creates/deletes/modifies a Gateway, Virtual Machine, Virtual Network, etc.?

    You can set alerts on Azure Management Services - you can refer to https://msdn.microsoft.com/en-us/library/azure/dn306639.aspx

    Hope this helps you.

    Girish Prajwal

    Friday, April 10, 2015 6:02 PM
  • Hi Girish,

    What I was looking for was the ability to send the Operation Logs to a different IP address of my choosing.  This would allow me to get all the Operation Logs into a different server, that is not on Azure.  I used syslog as an example, but I would like to be able to somehow get the logs out of Azure and into a different server.  This is for security tracking and correlation purposes.

    Does Azure have this functionality?  If not, is it in the works?  Thanks.


    Eric R Post

    Friday, April 10, 2015 7:10 PM
  • A year ago I read that this type of export or some type of programmatic access was on the roadmap, but not necessarily in the works yet. Maybe if enough of us voted, it would happen faster.

    http://feedback.azure.com/forums/34192--general-feedback


    • Edited by KloopDogg Friday, April 10, 2015 8:17 PM
    Friday, April 10, 2015 8:16 PM
  • Hi Eric,

    You may need to call REST API to get the subscription operations logged with in the specified time frame. I suggest you to check this link for details.

    https://msdn.microsoft.com/en-us/library/azure/gg715318.aspx

    Onto the left pane you have multiple topics describing the list of operations carried out using REST API function.

    Please check for the appropriate query that you have been looking for.

    Hope this helps you.

    Girish Prajwal

    • Marked as answer by Sowmya K R Tuesday, April 14, 2015 10:56 AM
    Friday, April 10, 2015 8:20 PM