Share via

Legacy collection methods

The Azure Activity Log solution was used to forward activity logs to Log Analytics. This solution is being retired on the 15th of Sept 2026 and will be automatically converted to Diagnostic settings.

If you're collecting activity logs using the legacy collection method, we recommend you export activity logs to your Log Analytics workspace and disable the legacy collection using the Data Sources - Delete API as follows:

  1. List all data sources connected to the workspace using the Data Sources - List By Workspace API and filter for activity logs by setting kind eq 'AzureActivityLog'.

    Screenshot showing the configuration of the Data Sources - List By Workspace API.

  2. Copy the name of the connection you want to disable from the API response.

    Screenshot showing the connection information you need to copy from the output of the Data Sources - List By Workspace API.

  3. Use the Data Sources - Delete API to stop collecting activity logs for the specific resource.

    Screenshot of the configuration of the Data Sources - Delete API.

Managing legacy Log Profiles (retiring)

Note

  • Logs Profiles was used to forward activity logs to storage accounts and Event Hubs. This method is being retired on the 15th of Sept 2026.
  • If you're using this method, transition to Diagnostic Settings before 15th of Sept 2025, when we'll stop allowing new creates of Log Profiles.

Log profiles are the legacy method for sending the activity log to storage or event hubs. If you're using this method, transition to Diagnostic Settings, which provide better functionality and consistency with resource logs.

If a log profile already exists, you first must remove the existing log profile, and then create a new one.

  1. Use Get-AzLogProfile to identify if a log profile exists. If a log profile exists, note the Name property.

  2. Use Remove-AzLogProfile to remove the log profile by using the value from the Name property.

    # For example, if the log profile name is 'default'
Remove-AzLogProfile -Name "default"

  3. Use Add-AzLogProfile to create a new log profile:

    Add-AzLogProfile -Name my_log_profile -StorageAccountId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -serviceBusRuleId /subscriptions/s1/resourceGroups/Default-ServiceBus-EastUS/providers/Microsoft.ServiceBus/namespaces/mytestSB/authorizationrules/RootManageSharedAccessKey -Location global,westus,eastus -RetentionInDays 90 -Category Write,Delete,Action
    Property Required Description
    Name Yes Name of your log profile.
    StorageAccountId No Resource ID of the storage account where the activity log should be saved.
    serviceBusRuleId No Service Bus Rule ID for the Service Bus namespace where you want to have event hubs created. This string has the format {service bus resource ID}/authorizationrules/{key name}.
    Location Yes Comma-separated list of regions for which you want to collect activity log events.
    RetentionInDays Yes Number of days for which events should be retained in the storage account, from 1 through 365. A value of zero stores the logs indefinitely.
    Category No Comma-separated list of event categories to be collected. Possible values are Write, Delete, and Action.

Example script This sample PowerShell script creates a log profile that writes the activity log to both a storage account and an event hub.

# Settings needed for the new log profile
$logProfileName = "default"
$locations = (Get-AzLocation).Location
$locations += "global"
$subscriptionId = "<your Azure subscription Id>"
$resourceGroupName = "<resource group name your Event Hub belongs to>"
$eventHubNamespace = "<Event Hub namespace>"
$storageAccountName = "<Storage Account name>"
# Build the service bus rule Id from the settings above
$serviceBusRuleId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.EventHub/namespaces/$eventHubNamespace/authorizationrules/RootManageSharedAccessKey"
# Build the Storage Account Id from the settings above
$storageAccountId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
Add-AzLogProfile -Name $logProfileName -Location $locations -StorageAccountId $storageAccountId -ServiceBusRuleId $serviceBusRuleId

Data structure changes

The Export activity logs experience sends the same data as the legacy method used to send the activity log with some changes to the structure of the AzureActivity table.

The columns in the following table are deprecated in the updated schema. They still exist in AzureActivity, but they have no data. The replacements for these columns aren't new, but they contain the same data as the deprecated column. They're in a different format, so you might need to modify log queries that use them.

Activity log JSON Old Log Analytics column name
(deprecated)		 New Log Analytics column name Notes
category Category CategoryValue
status

Values are success, start, accept, failure		 ActivityStatus

Values same as JSON		 ActivityStatusValue

Values change to succeeded, started, accepted, failed		 The valid values change as shown.
subStatus ActivitySubstatus ActivitySubstatusValue
operationName OperationName OperationNameValue REST API localizes the operation name value. Log Analytics UI always shows English.
resourceProviderName ResourceProvider ResourceProviderValue

Important

In some cases, the values in these columns might be all uppercase. If you have a query that includes these columns, use the =~ operator to do a case-insensitive comparison.

The following columns have been added to AzureActivity in the updated schema:

  • Authorization_d
  • Claims_d
  • Properties_d