Common and service-specific schemas for Azure resource logs
Note
Resource logs were previously known as diagnostic logs. The name was changed in October 2019 as the types of logs gathered by Azure Monitor shifted to include more than just the Azure resource.
This article used to list resource log categories that you can collect. That list is now at Resource log categories.
Azure Monitor resource logs are logs emitted by Azure services that describe the operation of those services or resources. All resource logs available through Azure Monitor share a common top-level schema. Each service has the flexibility to emit unique properties for its own events.
A combination of the resource type (available in the resourceId
property) and the category uniquely identify a schema. This article describes the top-level schemas for resource logs and links to the schemata for each service.
Top-level common schema
Note
The schema described here is valid when resource logs are sent to Azure storage or to an event hub. When the logs are sent to a Log Analytics workspace, the column names may be different. See Standard columns in Azure Monitor Logs for columns common to all tables in a Log Analytics workspace and Azure Monitor data reference for a reference of different tables.
Name | Required or optional | Description |
---|---|---|
time |
Required | The timestamp (UTC) of the event being logged. |
resourceId |
Required | The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name. |
tenantId |
Required for tenant logs | The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs. |
operationName |
Required | The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read . The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.<providerName>/<resourceType>/<subtype>/<Write|Read|Delete|Action> , even if it's not a documented Resource Manager operation. |
operationVersion |
Optional | The API version associated with the operation, if operationName was performed through an API (for example, http://myservice.windowschinacloudapi.cn/object?api-version=2016-06-01 ). If no API corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future. |
category or type |
Required | The log category of the event being logged. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are Audit , Operational , Execution , and Request . For Application Insights resource, type denotes the category of log exported. |
resultType |
Optional | The status of the logged event, if applicable. Values include Started , In Progress , Succeeded , Failed , Active , and Resolved . |
resultSignature |
Optional | The substatus of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call. |
resultDescription |
Optional | The static text description of this operation; for example, Get storage file . |
durationMs |
Optional | The duration of the operation in milliseconds. |
callerIpAddress |
Optional | The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address. |
correlationId |
Optional | A GUID that's used to group together a set of related events. Typically, if two events have the same operationName value but two different statuses (for example, Started and Succeeded ), they share the same correlationID value. This might also represent other relationships between events. |
identity |
Optional | A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory. |
level |
Optional | The severity level of the event. Must be one of Informational , Warning , Error , or Critical . |
location |
Optional | The region of the resource emitting the event; for example, China North or China North 2 . |
properties |
Optional | Any extended properties related to this category of events. All custom or unique properties must be put inside this "Part B" of the schema. |
Service-specific schemas
The schema for resource logs varies depending on the resource and log category. The following list shows Azure services that make available resource logs and links to the service and category-specific schemas (where available). The list changes as new services are added. If you don't see what you need, feel free to open a GitHub issue on this article so we can update it.