Get-AzLog

Retrieve Activity Log events.

Syntax

Get-AzLog
   [-StartTime <DateTime>]
   [-EndTime <DateTime>]
   [-Status <String>]
   [-Caller <String>]
   [-DetailedOutput]
   [-CorrelationId] <String>
   [-MaxRecord <Int32>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzLog
   [-StartTime <DateTime>]
   [-EndTime <DateTime>]
   [-Status <String>]
   [-Caller <String>]
   [-DetailedOutput]
   [-ResourceId] <String>
   [-MaxRecord <Int32>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzLog
   [-StartTime <DateTime>]
   [-EndTime <DateTime>]
   [-Status <String>]
   [-Caller <String>]
   [-DetailedOutput]
   [-ResourceGroupName] <String>
   [-MaxRecord <Int32>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzLog
   [-StartTime <DateTime>]
   [-EndTime <DateTime>]
   [-Status <String>]
   [-Caller <String>]
   [-DetailedOutput]
   [-ResourceProvider] <String>
   [-MaxRecord <Int32>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzLog
   [-StartTime <DateTime>]
   [-EndTime <DateTime>]
   [-Status <String>]
   [-Caller <String>]
   [-DetailedOutput]
   [-MaxRecord <Int32>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

The Get-AzLog cmdlet retrieve Activity Log events. The events can be associated with the current subscription ID, correlation ID, resource group, resource ID, or resource provider.

Examples

Example 1: Get an event log by subscription ID

PS C:\>Get-AzLog

This command lists at most 1000 events associated with the user's subscription ID that took place 7 days from the current date/time.

Example 2: Get an event log by subscription ID with a maximum number of events

PS C:\>Get-AzLog -MaxRecord 100

This command lists at most 100 events associated with the user's subscription ID that took place 7 days from the current date/time.

Example 3: Get an event log by subscription ID with a start time.

PS C:\>Get-AzLog -StartTime 2017-06-01T10:30

This command lists at most 1000 events associated with the user's subscription ID that took place on or after 2017-06-01T10:30 local time if that date/time is not older than 90 days from the current date/time.

Example 4: Get an event log by subscription ID with a start time and end time.

PS C:\>Get-AzLog -StartTime 2017-04-01T10:30 -EndTime 2017-04-14T11:30

This command lists at most 1000 of the events associated with the user's subscription ID that took place on or after 2017-04-01T10:30 local time, and before 2017-04-14T11:30 local time if the whole date/time range is not older than 90 days from the current date/time, i.e.: the retention period.

Example 5: Get an event log by correlation ID

PS C:\>Get-AzLog -CorrelationId "aaaa0000-bb11-2222-33cc-444444dddddd"

This command lists at most 1000 events associated with the specified correlation ID that took place 7 days from the current date/time. NOTE: this is usually only one event.

Example 6: Get an event log by correlation ID with a maximum number of events

PS C:\>Get-AzLog -CorrelationId "aaaa0000-bb11-2222-33cc-444444dddddd" -MaxRecord 100

This command lists at most 100 events associated with the specified correlation ID that took place 7 days from the current date/time. NOTE: this is usually only one event.

Example 7: Get an event log by correlation ID and start time

PS C:\>Get-AzLog -CorrelationId "aaaa0000-bb11-2222-33cc-444444dddddd" -StartTime 2017-05-22T04:30:00

This command lists at most 1000 events associated with the specified correlation ID that took place on or after 2017-05-22T04:30:00 local time if the start time is not older than 90 days from the current date/time. NOTE: this is usually only one event.

Example 8: Get an event log by correlation ID with start time and end time

PS C:\>Get-AzLog -CorrelationId "aaaa0000-bb11-2222-33cc-444444dddddd" -StartTime 2017-04-15T04:30:00 -EndTime 2017-04-25T12:30:00

This command lists at most 1000 events associated with the specified correlation ID that took place on or after 2017-04-15T04:30 local time, but before 2017-04-25T12:30 local time if the whole date/time range is not older than 90 days from the current date/time, i.e.: the retention period.

Example 9: Get an event log for a resource group

PS C:\>Get-AzLog -ResourceGroupName "Contoso-Web-CentralUS"

This command lists at most 1000 the events associated with the specified resource group that took place 7 days from the current date/time.

Example 10: Get an event log for a resource group with a maximum number of events

PS C:\>Get-AzLog -ResourceGroup "Contoso-Web-CentralUS" -MaxRecord 100

This command lists at most 100 events associated with the specified resource group that took place 7 days from the current date/time.

Example 11: Get an event log for a resource group by start time

PS C:\>Get-AzLog -ResourceGroup "Contoso-Web-CentralUS" -StartTime 2017-05-22T04:30:00

This command lists at most 1000 events associated with the specified resource group that took place on or after 2017-05-22T04:30:00 local time if the start time is not older than 90 days from the current date/time.

Example 12: Get an event log for a resource group with a start time and end time

PS C:\>Get-AzLog -ResourceGroup "Contoso-Web-CentralUS" -StartTime 2017-04-15T04:30 -EndTime 2017-04-25T12:30

This command lists at most 1000 events associated with the specified resource group that took place on or after 2017-04-15T04:30 local time, but before 2017-04-25T12:30 local time if the whole date/time range is not older than 90 days from the current date/time, i.e.: the retention period.

Example 13: Get an event log by resource ID

PS C:\>Get-AzLog -ResourceId "/subscriptions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/ResourceGroups/Contoso-Web-CentralUS/providers/Microsoft.Web/ServerFarms/Contoso1"

This command lists at most 1000 events associated with the specified resource ID that took place 7 days from the current date/time.

Example 14: Get an event log by resource ID with a maximum number of events

PS C:\>Get-AzLog -ResourceId "/subscriptions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/ResourceGroups/Contoso-Web-CentralUS/providers/Microsoft.Web/ServerFarms/Contoso1" -MaxRecord 100

This command lists at most 100 events associated with the specified resource ID that took place 7 days from the current date/time.

Example 15: Get an event log by resource ID with a start time

PS C:\>Get-AzLog -ResourceId "/subscriptions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/ResourceGroups/Contoso-Web-CentralUS/providers/Microsoft.Web/ServerFarms/Contoso1" -StartTime 2017-05-22T04:30

This command lists at most 1000 events associated with the specified resource ID that took place on or after 2017-05-22T04:30:00 local time if the start time is not older than 90 days from the current date/time.

Example 16: Get an event log by resource ID with a start time and end time

PS C:\>Get-AzLog -ResourceId "/subscriptions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/ResourceGroups/Contoso-Web-CentralUS/providers/Microsoft.Web/ServerFarms/Contoso1" -StartTime 2017-04-15T04:30 -EndTime 2017-04-25T12:30

This command lists at most 1000 events associated with the specified resource ID that took place on or after 2017-04-15T04:30 local time, but before 2017-04-25T12:30 local time if the whole date/time range is not older than 90 days from the current date/time, i.e.: the retention period.

Example 17: Get an event log by resource provider

PS C:\>Get-AzLog -ResourceProvider "Microsoft.Web"

This command lists at most 1000 events associated with the specified resource provider that took place 7 days from the current date/time.

Example 18: Get an event log by resource provider with a maximum number of events

PS C:\>Get-AzLog -ResourceProvider "Microsoft.Web" -MaxRecord 100

This command lists at most 100 events associated with the specified resource provider that took place 7 days from the current date/time.

Example 19: Get an event log by resource provider with a start time

PS C:\>Get-AzLog -ResourceProvider "Microsoft.Web" -StartTime 2017-05-22T04:30

This command lists at most 1000 events associated with the specified resource provider that took place on or after 2017-05-22T04:30:00 local time if the start time is not older than 90 days from the current date/time.

Example 20: Get an event log by resource provider with a start time and end time

PS C:\>Get-AzLog -ResourceProvider "Microsoft.Web" -StartTime 2017-04-15T04:30 -EndTime 2017-04-25T12:30

This command lists at most 1000 events associated with the specified resource provider that took place on or after 2017-04-15T04:30 local time, but before 2017-04-25T12:30 local time if the whole date/time range is not older than 90 days from the current date/time, i.e.: the retention period.

Parameters

-Caller

Specifies a caller.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CorrelationId

Specifies the correlation ID. This parameter is required.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DetailedOutput

Indicates that this cmdlet displays detailed output. By default, output is summarized.

Type:SwitchParameter
Position:Named
Default value:Switch not present = False, i.e. output summarized
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-EndTime

Specifies the end time of the query in local time. The default value is the current time. The value must be later than StartTime. You can use the Get-Date cmdlet to get a DateTime object.

Type:Nullable<T>[DateTime]
Position:Named
Default value:Current date (time: 00:00:00 AM) + 1 day
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-MaxRecord

Specifies the total number of records to fetch for the specified filter. The default value is 1000 and the maximum value accepted is 100000. Negative values and 0 are ignored and the default value will be used.

Type:Int32
Position:Named
Default value:1000
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ResourceGroupName

Specifies the name of the resource group.

Type:String
Aliases:ResourceGroup
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceId

Specifies the resource ID.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceProvider

Specifies a filter by resource provider.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-StartTime

Specifies the start time of the query in local time. The default value is EndTime minus seven days. You can use the Get-Date cmdlet to get a DateTime object.

Type:Nullable<T>[DateTime]
Position:Named
Default value:EndTime - 7 days
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Status

Specifies the status.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

Inputs

Nullable<T>[[System.DateTime, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]

String

SwitchParameter

Int32

Outputs

PSEventData