Azure Event Hubs
An Azure real-time data ingestion service.
636 questions
Azure Activity Logs for Management Group and Subscription creation/deletion do not match the expected schema
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 45%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
shrinjay mukherjee
0
Reputation points
I have a diagnostic setting set up for my root management group:
{
"id": "providers/Microsoft.Management/managementGroups/MY-ROOT-MANAGEMENT-GROUP-ID/providers/microsoft.insights/diagnosticSettings/ManagementSetting",
"type": "Microsoft.Insights/diagnosticSettings",
"name": "ManagementSetting",
"location": "global",
"properties": {
"eventHubAuthorizationRuleId": "/subscriptions/XXXXXX/resourceGroups/XXXXXX/providers/Microsoft.EventHub/namespaces/XXXXXX/authorizationrules/eventHubAuthzRule",
"eventHubName": "XXXXXX",
"logs": [
{
"category": "Administrative",
"enabled": true,
"categoryGroup": null
},
{
"category": "Policy",
"enabled": false,
"categoryGroup": null
}
]
}
},
and using this, I'm able to get activity log events for resource group creation/deletion etc. However, I have two exceptions:
- Creating a Management Group
- Creating a Subscription
In these two cases, I get a very different log format in my event hub. For example if I create a subscription:
{
"tenantId": "XXXXXX",
"correlationId": "32ea4f85-0ad1-40c3-aef5-93b746135f7c",
"time": "2024-09-30T17:24:16.3227927Z",
"resourceId": "/subscriptions/ec1c689a-ccdd-49f3-8d1c-9a573317e46a",
"category": "Administrative",
"operationName": "Microsoft.Management",
"resultType": "Succeeded",
"properties": {
"entity": "ec1c689a-ccdd-49f3-8d1c-9a573317e46a",
"message": "Entity ec1c689a-ccdd-49f3-8d1c-9a573317e46a is created with parent entity EventsManagementGroup",
"hierarchy": "XXXXXX/EventsManagementGroup/XXXXXX"
}
},
Notice how the operationName is Microsoft.Management .
What is interesting is if I open my Activity Log and select the parent management group in the management group dropdown, I get this specific format of log. However, if I select the subscription (ec1c689a-ccdd-49f3-8d1c-9a573317e46a), I can see the expected log format:
{
"authorization": {},
"caller": "tester@XXXXX.com",
"channels": "Operation",
"claims": {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn": "tester@test.com"
},
"correlationId": "\"CorrelationId\":\"a6003b48-68ea-4036-8f83-6ba533c6de04\"",
"description": "",
"eventDataId": "346b234d-ee23-896e-5c31-5ddd51d96c8e",
"eventName": {
"value": "",
"localizedValue": ""
},
"category": {
"value": "Security",
"localizedValue": "Security"
},
"eventTimestamp": "2024-09-30T17:23:49.916568Z",
"id": "/SUBSCRIPTIONS/EC1C689A-CCDD-49F3-8D1C-9A573317E46A/events/346b234d-ee23-896e-5c31-5ddd51d96c8e/ticks/638633138299165680",
"level": "Informational",
"operationId": "",
"operationName": {
"value": "Microsoft.Subscription/Subscriptions/write",
"localizedValue": "Create subscription"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "",
"localizedValue": ""
},
"resourceType": {
"value": "",
"localizedValue": ""
},
"resourceId": "/SUBSCRIPTIONS/EC1C689A-CCDD-49F3-8D1C-9A573317E46A",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "",
"localizedValue": ""
},
"submissionTimestamp": "2024-09-30T17:23:49.916568Z",
"subscriptionId": "EC1C689A-CCDD-49F3-8D1C-9A573317E46A",
"tenantId": "",
"relatedEvents": []
}
You can see this has the correct operationName, Microsoft.Subscription/Subscriptions/write, and the expected data. I just don't understand why I can never see the second log format in my event hub, only the first. They are both Azure Activity Logs from the Administrative category. Any insight would be appreciated.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 61%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
phemanth 10,330 Reputation points Microsoft Vendor2024-10-01T02:25:54.0333333+00:00 Thanks for reaching out to Microsoft Q&A
You have a diagnostic setting set up for your root management group to collect activity log events, including those for resource group creation/deletion, management group creation, and subscription creation/deletion.
However, you're observing two different log formats for management group creation and subscription creation events. The first format has an
operationNameof "Microsoft.Management", while the second format has the expectedoperationNamewith the correct resource provider and operation (e.g., "Microsoft.Subscription/Subscriptions/write").:In the provided JSON logs, noticed the following differences:
- OperationName: The first log format has an
operationNameof "Microsoft.Management", which is not specific to a particular resource provider. In contrast, the second log format has anoperationNamethat includes the resource provider and operation (e.g., "Microsoft.Subscription/Subscriptions/write"). - ResourceId: The first log format has a
resourceIdthat points to the subscription, while the second log format has aresourceIdthat includes the subscription ID and the event ID. - Properties: The first log format has a
propertiessection with anentityfield, while the second log format has a more detailedpropertiessection with fields likecaller,claims, anddescription.
It's possible that the Azure Activity Log system is using different log formats for management group and subscription creation events, which are not specific to a particular resource provider. These events might be generated by the Azure management plane, which is responsible for managing Azure resources at a higher level.
When you select the parent management group in the management group dropdown, you're seeing the log format generated by the management plane. However, when you select the subscription, you're seeing the log format generated by the Azure resource provider (in this case, Microsoft.Subscription).
To confirm this
Check the Azure Activity Log documentation to see if there are any specific log formats mentioned for management group and subscription creation events.https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/activity-log-schema
Verify that your diagnostic setting is correctly configured to collect activity log events for both management group and subscription creation events.
If you're using Azure Monitor or another log analytics tool, check if there are any filtering or processing rules that might be affecting the log format.
Hope this helps. Do let us know if you any further queries.
- OperationName: The first log format has an
-
shrinjay mukherjee 0 Reputation points
2024-10-01T14:22:24.07+00:00 Thanks for your answer @phemanth
Check the Azure Activity Log documentation to see if there are any specific log formats mentioned for management group and subscription creation events.https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/activity-log-schema
There's nothing specific to each plane that I can see.
Verify that your diagnostic setting is correctly configured to collect activity log events for both management group and subscription creation events.
I have it configured so that the diagnostic setting is on the root management group level, and then I could get diagnostic logs for any management group, subscription, resource group, resource underneath the root management group.
Using this setting, I am able to get logs for resource group creation/deletion, as well as subscription cancellation, but only subscription creation is missed.
-
shrinjay mukherjee 0 Reputation points
2024-10-01T14:25:07.8533333+00:00 Thanks for your answer @phemanth
Verify that your diagnostic setting is correctly configured to collect activity log events for both management group and subscription creation events.
I only have a diagnostic setup for all admin and audit logs at the tenant root group. I want to get all logs for any events on any management groups, subscriptions, resource groups and resources underneath the root.
Using this, I am able to get logs for resource group creation/update/deletion, even subscription cancellation events, but only subscription creation events are missed.
-
phemanth 10,330 Reputation points Microsoft Vendor
2024-10-03T03:47:56.27+00:00 It looks like you’ve done a thorough job setting up your diagnostic settings and verifying the configurations. Given that subscription creation events are the only ones missing, here are a few additional steps you might consider:
Check Diagnostic Settings: Ensure that the diagnostic settings at the root management group level explicitly include the “Administrative” category, as this should capture all relevant events, including subscription creation.
Review Event Hub Configuration: Double-check the Event Hub configuration to ensure it’s correctly set up to receive and process all types of logs. Sometimes, specific configurations might inadvertently filter out certain events.
- Activity Log Schema: According to the Azure Activity Log documentation, the schema can vary based on the type of event and how it’s accessed. While there isn’t specific documentation for management group and subscription creation events, ensuring that all relevant categories are enabled might help capture these logs.
Sign in to comment
Sign in to answer