Step 1: Understand the Requirements
You want to ensure that audit events (such as user actions, project changes, security settings, etc.) from your Azure DevOps organization are logged and available in a Log Analytics workspace in Azure.
This enables centralized monitoring and security compliance.
Step 2: Prerequisites
Before starting, make sure:
You have an Azure subscription.
You have permission to create or use a Log Analytics workspace in the Azure portal.
You are a Project Collection Administrator or Organization Owner in Azure DevOps.
Step 3: Create or Identify a Log Analytics Workspace
Go to the Azure portal.
In the search bar, type Log Analytics workspaces and click the service.
Click + Create to create a new workspace (or select an existing workspace if you have one).
Provide the following:
Subscription: your Azure subscription.
Resource Group: create a new or use an existing one.
Name: a unique name for the workspace (like DevOpsAuditWorkspace).
Region: choose the same region as your Azure DevOps organization if possible.
Click Review + Create, then Create to deploy the workspace.
Step 4: Configure Azure DevOps to Stream Audit Logs
Azure DevOps can stream audit logs to your Log Analytics workspace using the Azure DevOps Audit Stream feature.
In your browser, go to your Azure DevOps organization:
In the bottom-left corner, click on the Organization Settings gear icon.
In the left menu, click on Audit logs.
In the top-right, click on Audit streams.
Click on + Add stream to create a new stream.
In the New audit stream pane, do the following:
Stream type: select Azure Monitor Logs (Log Analytics).
Azure subscription: select the subscription containing your Log Analytics workspace.
Resource group: select the resource group.
Log Analytics workspace: select the workspace created in Step 3.
Click Save.
Step 5: Validate the Audit Stream Connection
Go back to the Audit streams page in Azure DevOps to confirm the stream shows as Connected.
To validate logs:
In the Azure portal, go to your Log Analytics workspace.
In the left menu, click on Logs.
Use the query:
kusto
Copy
AzureDevOpsAuditing
| sort by TimeGenerated desc
You should see audit events from your Azure DevOps organization appear in the results.