Activity log for specific azure resource

Question

I am trying to query the activity logs of a specific azure resource. However, I am not sure how to do it. I only found base code on the internet that can only filter up to resource group level.

    from azure.mgmt.monitor import MonitorManagementClient
    import datetime

    # Get a client for Monitor
    credentials = connectSP() # Custom function to get credentials
    client = MonitorManagementClient(
        credentials,
        sub_id
    )


    # Generate query here
    today = datetime.datetime.now().date()
    filter = "eventTimestamp ge {}".format(today)
    select = ",".join([
        "eventTimestamp",
        "eventName",
        "operationName",
        "resourceGroupName",
    ])


    # Grab activity logs
    activity_logs = client.activity_logs.list(
        filter=filter,
        select=select
    )

    # Print the logs
    for log in activity_logs:
        print(" ".join([
            str(log.event_timestamp),
            str(log.resource_group_name),
            log.event_name.localized_value,
            log.operation_name.localized_value
    ]))

I tried to filter it by resource_id attribute but is met with this error:

Code: BadRequest
Message: The filter property: resource_id is not supported.

Is it possible to narrow down the scope to just a resource? Also is there any documentation on how to modify the filter query? I just found the basic ones in the Microsoft documentation. https://learn.microsoft.com/en-us/python/api/azure-mgmt-monitor/azure.mgmt.monitor.v2015_04_01.operations.activitylogsoperations?view=azure-python

Answer 1

Code: BadRequest Message: The filter property: resource_id is not supported.

The error shows that ResourceID is not supported in the $filter argument.

The $filter has restrictions refer MS-Doc for detailed information.

The $filter argument is very restricted and allows only the following patterns.

1. List events for a resource group:

$filter=eventTimestamp ge '<Start Date Time>' and eventTimestamp le '<End time>' and resourceGroupName eq '<Resource Group Name>'.

2. List events for resource:

$filter=eventTimestamp ge '<Start Date Time>' and eventTimestamp le '<End Date Time>' and resourceUri eq '<Resource URI>'.

3. List events for a subscription in a time range:

$filter=eventTimestamp ge '<Start Date Time>' and eventTimestamp le '<End Date Time>'.

4. List events for a resource provider:

$filter=eventTimestamp ge '<Start Date time>' and eventTimestamp le '<End Date Time>' and resourceProvider eq 'resourceProviderName'.

5. List events for a correlation Id:

$filter=eventTimestamp ge '<Start Date Time>' and eventTimestamp le '<End Date Time>' and correlationId eq 'correlationID'.`

If you need to filter specific resource, you can use Resource URI. Filter through resource group Use ResourceGroupName. Resource ID is not supported in the $filter.

The sample code I followed.

Sub_Base_Url = f"https://management.azure.com/subscriptions/{Your_Subscription_Id}/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&"
# in filter you can use either Resource Group Name or Resource URI
filter = f"$filter=eventTimestamp ge '{Start_Date_time}' and eventTimestamp le '{End_Date_Time}' and resourceGroupName eq '{Your_Resource_Group}'"
print(filter)

Sub_Base_Url = Sub_Base_Url + filter

headers = {
    "Authorization": 'Bearer ' + credential.token["access_token"]
}

res = requests.get(Sub_Base_Url, headers=headers)
output = res.json()