Azure Monitor ActivityLogs not reaching Event Hub

0
votes

I've created a Free Tier Azure account. I have events in my Azure Monitor Activity Log (Get Namespace Listkeys, etc) and clicking on these events allows me to see their JSON. I have selected "Export to Event Hub", selected "All regions", checked "Export to an event hub" and set up the namespace and policy name. The policy is the Root shared policy which has Manage, Send, Listen checked. This creates the "insights-operational-logs" event hub automatically.

I'm using the azure golang client (https://github.com/Azure/azure-event-hubs-go) to query this event hub but I'm not seeing the ActivityLog events in the client. I do receive diagnostic logs with categories like "Action", and "Write" but not the logs I can see in the ActivityLog monitor with categories like "Administrative".

What am I missing? Why are these events not reaching my client?

1
azuregoazure-eventhub
Impossible to say - please include the relevant code in the body of your question.Adrian
My client is quite simple, and there doesn't appear to be much opportunity for mis-configuration on that end. It seems to pull every event from the event hub. I'd like to identify any issues configuring the Event Hub in the UI before diving into potential issues with the client.user1383924
If it's not a programming question, try Server Fault instead of Stack Overflow.Adrian

1 Answers

0
votes

It turns out the Activity Logs are actually mutated before they are sent to the event hub. There is a small reference to this in the documentation (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export#activity-log-schema). I was expecting Activity Logs to be sent to the event hub as they appear in the JSON pane of the Activity Monitor, but that appears to not be how the "Export to Event Hub" feature works. The Activity Log is converted into several smaller "Action" logs that describe each stage of the Activity, i.e. whether it was "Started", "Succeeded", or "Failed". These together represent one Activity Log, but the schema is different.