|
Measures reported by AzrMntrActvtyLgTest
The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. Events of varying severity levels - eg., critical events, warning events, information events - and events of different categories - eg., administrative, service health, resource health etc. - are logged in the Activity log.
To promptly, and sometimes proactively, capture problem conditions, resolve bottlenecks, and avert potential disasters, administators need to be alerted as soon as a critical/warning event, a serious health issue, or a crucial operational failure is logged in the Activity log. This is exactly what the AzrMntrActvtyLgTest does!
This test monitors the Activity log and reports the count of events logged per severity/category. In the process, the test notifies administrators every time a problem condition is captured by the log. Detailed diagnostics provide additional problem insights to administrators, thereby easing troubleshooting.
Note:Typically, to consolidate log entries, correlate log data, and perform complex analysis, the Activity log is often sent to one/more Log Analytics Workspaces. This test reports valid metrics on events by reading data from these Log Analytics Workspaces only. If the Activity log is not sent to any Log Analytics Workspace, then this test will only report the value 0 for all its measures. To avoid this, before configuring this test, make sure that the Activity log is configured to be sent to at least one Log Analytics Workspace. Click here to achieve this.
Outputs of the test : One set of results for the configured SUBSCRIPTION ID
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| crtcl_events |
Indicates the number of critical events logged in the activity log. |
Number |
Critical events are events that demand the immediate attention of a system administrator. The incidence of a critical event may indicate that an application or system has failed or stopped responding.
Ideally therefore, the value of this measure should be 0. If a non-zero value is reported, then use the detailed diagnosis of this measure to view the complete details of the critical events. |
| error_events |
Indicates the number of error events logged in the activity log. |
Number |
Error events are events that indicate a problem, but do not require immediate attention.
Ideally therefore, the value of this measure should be 0. If a non-zero value is reported, then use the detailed diagnosis of this measure to view the complete details of the error events. |
| warning_events |
Indicates the number of warning events logged in the activity log. |
Number |
Warning events are those that provide forewarning of potential problems. Such events indicate that a resource is not in an ideal state and may degrade later into showing errors or critical events.
Ideally therefore, the value of this measure should be 0. If a non-zero value is reported, then use the detailed diagnosis of this measure to view the complete details of the warning events. Studying these events closely may proactively alert. |
| infrmtn_events |
Indicates the number of information events logged in the activity log. |
Number |
Information events are those that pass non-critical information to the administrator - similar to a note that says: “For your information”
Use the detailed diagnosis of this measure to view the complete details of information events logged in the activity log. |
| admnstrtv_events |
Indicates the number of events in the activity log that belong to the Administrative category. |
Number |
The Administrative category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.
Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. Administrative events also include any changes to Azure role-based access control in a subscription. |
| policy_events |
Indicates the number of events in the activity log that belong to the Policy category. |
Number |
The Policy category contains records of all effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource. |
| securityevents |
Indicates the number of events in the activity log that belong to the Security category. |
Number |
The Security category contains the record of alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.
Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. These events are only created if you have a resource in the subscription that would be impacted by the event. |
| srvc_health_events |
Indicates the number of events in the activity log that belong to the Service Health category. |
Number |
The Service Health category contains the record of any service health incidents that have occurred in Azure. An example of a Service Health event SQL Azure in East US is experiencing downtime. |
| rsrc_health_events |
Indicates the number of events in the activity log that belong to the Resource Health category. |
Number |
The Resource Health category contains the record of any resource health events that has occurred to your Azure resources. An example of a Resource Health event is Virtual Machine health status changed to unavailable.
Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated. |
| alert_events |
Indicates the number of events in the activity log that belong to the Alert category. |
Number |
The Alert category contains the record of activations for Azuremalerts. An example of an Alert events CPU % on myVM has been over 80 for the past 5 minutes. |
| autoscale_events |
Indicates the number of events in the activity log that belong to the Autoscale category. |
Number |
The Autoscale category contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of an Autoscale event is Autoscale scale up action failed. |
| rcmmndtn_events |
Indicates the number of events in the activity log that belong to the Recommendation category. |
Number |
The Recommendation category Contains recommendation events from Azure Advisor. |
| rsrc_write_oprtns |
Indicates the number of resource write operations logged in the activity log. |
Number |
|
| failedEvnts |
Indicates the number of events logged in the activity log that indicate operational failures. |
Number |
Ideally, the value of this measure should be 0. |
|