azlog schema/field documentation

Category: azure log integration


nsitajes on Tue, 09 May 2017 09:09:00


is there a complete list of fields and their descriptions that can come from logs received by the azlog tool? Similar to

but including everything. The links above don't include subfields like the claims ( or fields that can come from security centre, AAD, etc.


Thomas W Shinder - MSFT on Tue, 09 May 2017 14:53:07

Hi Nsitajes -

We don't have such documentation at this time.

Given the scenario, we just forward what we receive from the service.



lokijota on Tue, 09 May 2017 21:35:37

Hi Tom,

how do we get access to that documentation, then? who to contact/where to ask?


Thomas W Shinder - MSFT on Wed, 07 Jun 2017 12:31:41

Maybe I didn't understand the question - can you provide a specific example?

Are you interested in what appears in the JSON files that are received by the AzLog integrator machine?



Rob Martin [MSFT] on Thu, 08 Jun 2017 12:12:24

So, what was being asked was to be able to determine what fields might end up in the JSON. The example we were given was as follows.

In C:\users\azlog\AzureResourceManagerJson, after turning on Security Centre for our test environment, I’m getting entries containing SC related information:


      "eventDataId": "axxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx5",

      "eventName": {

        "value": "Azure Security Center Recommendation: ProvisionWafArm. This recommendation is now in state Activated",

        "localizedValue": "Azure Security Center Recommendation: ProvisionWafArm. This recommendation is now in state Activated"


But the security center folders are empty (is this intentional? Are the events triggered differently?).


Because that’s going into the folder, as well as some JSON files having different fields it’s making it difficult to create any sort of regex/grok filters to handle the information


      "authorization": {

        "action": "Microsoft.Authorization/locks/write",

        "scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/sl-test-rg001/providers/Microsoft.Compute/virtualMachines/sl-test-vm001/providers/Microsoft.Authorization/locks/ffdsfsdfds"


      "caller": "",

      "channels": "Operation",


Another entry, no caller field:


      "authorization": {

        "action": "Microsoft.Storage/storageAccounts/listKeys/action",

        "scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/securitydata/providers/Microsoft.Storage/storageAccounts/XXXXXXnortheurope"


      "channels": "Operation",


If there are any documents that explain the full schema(s) and what information could be in these files it may help come up with some logic to check if optional fields exists or not