Common and service-specific schemas for Azure resource logs

Note

Resource logs were previously known as diagnostic logs. The name was changed in October 2019 as the types of logs gathered by Azure Monitor shifted to include more than just the Azure resource.

This article used to list resource log categories that you can collect. That list is now at Resource log categories.

Azure Monitor resource logs are logs emitted by Azure services that describe the operation of those services or resources. All resource logs available through Azure Monitor share a common top-level schema. Each service has the flexibility to emit unique properties for its own events.

A combination of the resource type (available in the resourceId property) and the category uniquely identify a schema. This article describes the top-level schemas for resource logs and links to the schemata for each service.

Top-level common schema

Note

The schema described here is valid when resource logs are sent to Azure storage or to an event hub. When the logs are sent to a Log Analytics workspace, the column names may be different. See Standard columns in Azure Monitor Logs for columns common to all tables in a Log Analytics workspace and Azure Monitor data reference for a reference of different tables.

Name Required or optional Description
time Required The timestamp (UTC) of the event being logged.
resourceId Required The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.
tenantId Required for tenant logs The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs.
operationName Required The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read. The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.<providerName>/<resourceType>/<subtype>/<Write|Read|Delete|Action>, even if it's not a documented Resource Manager operation.
operationVersion Optional The API version associated with the operation, if operationName was performed through an API (for example, http://myservice.windowschinacloudapi.cn/object?api-version=2016-06-01). If no API corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future.
category or type Required The log category of the event being logged. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are Audit, Operational, Execution, and Request.

For Application Insights resource, type denotes the category of log exported.
resultType Optional The status of the logged event, if applicable. Values include Started, In Progress, Succeeded, Failed, Active, and Resolved.
resultSignature Optional The substatus of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.
resultDescription Optional The static text description of this operation; for example, Get storage file.
durationMs Optional The duration of the operation in milliseconds.
callerIpAddress Optional The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.
correlationId Optional A GUID that's used to group together a set of related events. Typically, if two events have the same operationName value but two different statuses (for example, Started and Succeeded), they share the same correlationID value. This might also represent other relationships between events.
identity Optional A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory.
level Optional The severity level of the event. Must be one of Informational, Warning, Error, or Critical.
location Optional The region of the resource emitting the event; for example, China North or China North 2.
properties Optional Any extended properties related to this category of events. All custom or unique properties must be put inside this "Part B" of the schema.

Service-specific schemas

The schema for resource logs varies depending on the resource and log category. The following list shows Azure services that make available resource logs and links to the service and category-specific schemas (where available). The list changes as new services are added. If you don't see what you need, feel free to open a GitHub issue on this article so we can update it.

Service or feature Schema and documentation
Microsoft Entra ID Overview, Audit log schema, Sign-ins schema
Azure Analysis Services Azure Analysis Services: Set up diagnostic logging
Azure API Management API Management resource logs
Azure App Service App Service logs
Azure Application Gateway Logging for Application Gateway
Azure Automation Log Analytics for Azure Automation
Azure Batch Azure Batch logging
Azure AI Search Cognitive Search monitoring data reference (schemas)
Azure AI services Logging for Azure AI services
Azure Container Instances Logging for Azure Container Instances
Azure Container Registry Logging for Azure Container Registry
Azure Cosmos DB Azure Cosmos DB logging
Azure Data Explorer Azure Data Explorer logs
Azure Data Factory Monitor Data Factory by using Azure Monitor
Azure Database for MySQL Azure Database for MySQL diagnostic logs
Azure Database for PostgreSQL Azure Database for PostgreSQL logs
Azure Databricks Diagnostic logging in Azure Databricks
Azure Event Hubs Azure Event Hubs logs
Azure ExpressRoute Monitoring Azure ExpressRoute
Azure Functions Monitoring Azure Functions Data Reference Resource Logs
Application Insights Application Insights Data Reference Resource Logs
Azure IoT Hub IoT Hub operations
Azure IoT Hub Device Provisioning Service Device Provisioning Service operations
Azure Key Vault Azure Key Vault logging
Azure Kubernetes Service Azure Kubernetes Service logging
Azure Load Balancer Log Analytics for Azure Load Balancer
Azure Logic Apps Logic Apps B2B custom tracking schema
Azure Machine Learning Diagnostic logging in Azure Machine Learning
Azure Media Services Media Services monitoring schemas
Network security groups Log Analytics for network security groups (NSGs)
Azure Power BI Embedded Logging for Power BI Embedded in Azure
Recovery Services Data model for Azure Backup
Azure SignalR Monitoring Azure SignalR Service data reference
Azure SQL Database Azure SQL Database logging
Azure Storage Blobs, Files, Queues, Tables
Azure Stream Analytics Job logs
Azure Virtual Network Schema not available
Virtual network gateways Logging for Virtual Network Gateways

Next steps