Azure Activity Log Analytics alerts with Operations Management Suite

A common request from customers is how can they get insights into changes that have been in the environment and notifications when changes have been made. The Azure Activity Log captures all actions against the Azure Resource Manager providers and is a great and quite a powerful tool in searching your activity logs in Azure. On its own Azure Activity Log, does have the functionality to configure web hooks to set up alerts such as email but OMS integration may enable a richer single view and consolidation of the logs and alerts, especially if  you are working with multiple subscriptions.

Add Azure Activity Log Analytics solution to OMS

The Activity Log Analytics solution is available in any tier of OMS, including the Free Tier. The Free Tier doesn’t have as long a log retention or storage but depending on your environment it should be fine to enable to send out notifications since in this scenario we are more interested in notifications as they occur rather than historical audit.

To add the Solution go the OMS Workspace Portal and browse the Solutions Gallery, and locate the Activity Log Analytics solution and add it to the workspace

After the solution has been added to the workspace you can configure any additional subscription you would like the OMS workspace to process the activity logs for. From the Azure Portal select “Log Analytics” and Click on your workspace.

From the following menu you can enable other connections to subscription to send their activity logs to the OMS Workspace to be processed by Activity Log Analytics.

After this is done, from your OMS Workspace you should see that data is being collected by Azure Activity Logs.

Configuring notifications for Azure Activity Logs

To enable and alert of notification on any particular activity that happens you can do this using the Log Search within the Activity Log solution. This is the same search capability that is available from the Azure portal, but within the OMS solution you have the added benefit of configuring the alert based off of your search query. Additionally, as pointed out in the previous section you can aggregate data from multiple subscriptions into the same OMS workspace which greatly simplifies configuring alerts across your environment.

In this example, we will configure alerts for any changes to Network configuration. In Log Search enter the Query:

Type=AzureActivity ResourceProvider=”Microsoft.Network”

This will return all activities against the Microsoft.Network resource provider. Click on the Alert button at the top to configure the alert notification.

Configure the alert based off of your requirements. For example, if you configure the following:

Search Query: Type=AzureActivity ResourceProvider=”Microsoft.Network”

Time Window: 15 Minutes

Alert Frequency: 15 Minutes

Generate Alert based on: Number of results greater than 1

This will run the query for any changes to the network provider within the last 15 minutes, and an alert will only be sent out if an event occurs. Each subsequent email will only include the activities for the preceding 15 minutes. This is quite aggressive, but would give you an almost immediate notification that a change has been made. Depending on your environment you can configure these alerts to meet your requirements and the search criteria is very granular so it is possible to set up multiple alerts. For example you could have a daily email alert of all network changes for the day. But for very sensitive resources you could set up an alert to notify every 15 minutes if changes have been made.

After you have configured your alerts you will start to receive the emails from OMS.