README.md

Azure Resource Logs transformation rules

General transformation rules

Transformation of Azure Resource Log records happened based on Category defined in incoming log record (category or type field) using mappings described in this document. Mapping are defined to be OpenTelemetry SemConv compatible as much as possible.

If any of the expected field is not present in incoming JSON record or has an empty string value (i.e. "") - it will be ignored.

Unknown/Unsupported Azure Resource Log record Category

For logs Category that conform common Azure Resource Logs schema, but doesn't have mapping for specific Category in this extension following rules will be applied:

• Common known fields are parsed according to common map below
• If properties field is parsable JSON - all parsed attributes are put as is into Log Attributes (except for message - goes to Body, correlationId and duration - goes to Log Attributes according to map below)
• If properties field couldn't be parsed as JSON - it will be stored into azure.properties Log Attribute as string and parsing error will be logged

Unparsable Azure Resource Log record

In case of parsing or transformation failure - original Azure Resource Log record will be saved as-is (original JSON string representation) into OpenTelemetry log.Body and error will be logged.

This approach allows you to try to parse or transform Azure Resource Log record later in OpenTelemetry Collector pipeline (for example, using transformprocessor) or in log Storage if applicable.

Common fields, available in all Categories

Azure	OpenTelemetry	OpenTelemetry Scope
time, timestamp	log.timestamp	Log
resourceId	cloud.resource_id	Resource Attribute
tenantId	azure.tenant.id	Resource Attribute
location	cloud.region	Resource Attribute
operationName	azure.operation.name	Log Attribute
operationVersion	azure.operation.version	Log Attribute
category, type	azure.category	Log Attribute
resultType	azure.result.type	Log Attribute
resultSignature	azure.result.signature	Log Attribute
resultDescription	azure.result.description	Log Attribute
durationMs	azure.operation.duration	Log Attribute
callerIpAddress	network.peer.address	Log Attribute
correlationId	azure.correlation_id	Log Attribute
identity	see Identity Field below	Log Attribute
Level	log.SeverityNumber	Log
properties	see mapping for each Category below	mixed

Identity Field

The identity field has different structures across Azure log categories, so identity parsing is handled per-category:

• Activity Logs: Specific known fields are extracted into flat, semantically meaningful attributes (see below)
• Storage Logs: Stored as a nested map under azure.identity (different structure with authorization as an array)
• Unknown/Generic categories: Stored as a nested map under azure.identity

Only known useful fields are extracted to minimize the risk of accidentally including sensitive data.

Activity Log Identity

Activity Logs contain caller identity information with JWT claims from Azure AD/Entra ID tokens and authorization details.

Authorization Fields

Azure identity Field	OpenTelemetry	OpenTelemetry Scope
identity.authorization.scope	azure.identity.authorization.scope	Log Attribute
identity.authorization.action	azure.identity.authorization.action	Log Attribute
identity.authorization.evidence.role	azure.identity.authorization.evidence.role	Log Attribute
identity.authorization.evidence.roleAssignmentScope	azure.identity.authorization.evidence.role.assignment.scope	Log Attribute
identity.authorization.evidence.roleAssignmentId	azure.identity.authorization.evidence.role.assignment.id	Log Attribute
identity.authorization.evidence.roleDefinitionId	azure.identity.authorization.evidence.role.definition.id	Log Attribute
identity.authorization.evidence.principalId	azure.identity.authorization.evidence.principal.id	Log Attribute
identity.authorization.evidence.principalType	azure.identity.authorization.evidence.principal.type	Log Attribute

Claims Fields

Unix timestamps (exp, nbf, iat) are converted to RFC3339 format.

Azure identity.claims Field	OpenTelemetry	OpenTelemetry Scope
iss	azure.identity.issuer	Log Attribute
sub	azure.identity.subject	Log Attribute
aud	azure.identity.audience	Log Attribute
exp	azure.identity.not_after	Log Attribute
nbf	azure.identity.not_before	Log Attribute
iat	azure.identity.created	Log Attribute
http://schemas.microsoft.com/identity/claims/scope	azure.identity.scope	Log Attribute
idtyp	azure.identity.type	Log Attribute
appid	azure.identity.application.id	Log Attribute
http://schemas.microsoft.com/claims/authnmethodsreferences	azure.identity.auth.methods.references	Log Attribute
http://schemas.microsoft.com/identity/claims/identityprovider	azure.identity.provider	Log Attribute
http://schemas.microsoft.com/identity/claims/objectidentifier	azure.identity.identifier.object	Log Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	user.id	Log Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	user.email	Log Attribute

Storage Log Identity

Storage Logs have a different identity structure containing authorization decisions as an array, token information, and requester details. The entire identity object is stored as a nested map under azure.identity.

Unknown/Generic Categories

For log categories where the identity structure is not known, the entire identity object is stored as a nested map under azure.identity to preserve all data.

Application Gateway

Application Gateway Access Logs (both v1 and v2)

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
listenerName	azure.agw.listener.name	Log Attribute
ruleName	azure.agw.rule.name	Log Attribute
backendPoolName	azure.agw.backend.pool.name	Log Attribute
backendSettingName	azure.agw.backend.setting.name	Log Attribute
instanceId	service.instance.id	Resource Attribute
clientIP	client.address	Log Attribute
clientPort	client.port	Log Attribute
clientResponseTime	azure.agw.latency	Log Attribute
httpMethod	http.request.method	Log Attribute
requestUri	url.path	Log Attribute
requestQuery	url.query	Log Attribute
originalRequestUriWithArgs	url.original	Log Attribute
userAgent	user_agent.original	Log Attribute
httpStatus	http.response.status_code	Log Attribute
httpVersion	network.protocol.name + network.protocol.version. If unparsable - network.protocol.original	Log Attribute
receivedBytes	http.request.size	Log Attribute
sentBytes	http.response.size	Log Attribute
timeTaken	azure.request.duration	Log Attribute
transactionId	azure.service.request.id	Log Attribute
sslEnabled	tls.enabled	Log Attribute
host	host.name	Log Attribute
originalHost	http.request.header.host	Log Attribute
sslCipher	tls.cipher	Log Attribute
sslProtocol	tls.protocol.name + tls.protocol.version. If unparsable - tls.protocol.original	Log Attribute
serverRouted	server.address + server.port. If unparsable - server.original_address	Log Attribute
serverStatus	azure.agw.backend.status_code	Log Attribute
serverResponseLatency	azure.agw.backend.latency	Log Attribute
WAFEvaluationTime	azure.firewall.evaluation.duration	Log Attribute
WAFMode	security_rule.ruleset.mode	Log Attribute
upstreamSourcePort	network.local.port	Log Attribute
error_info	error.type	Log Attribute

Application Gateway Performance Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
instanceId	service.instance.id	Resource Attribute
healthyHostCount	azure.agw.backend.healthy.count	Log Attribute
unHealthyHostCount	azure.agw.backend.unhealthy.count	Log Attribute
requestCount	azure.agw.request.count	Log Attribute
latency	azure.agw.backend.latency	Log Attribute
failedRequestCount	azure.agw.request.failed	Log Attribute
throughput	azure.agw.throughput	Log Attribute

Application Gateway Firewall Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
instanceId	service.instance.id	Resource Attribute
clientIP	client.address	Log Attribute
clientPort	client.port	Log Attribute
requestUri	url.original	Log Attribute
ruleSetType	security_rule.category	Log Attribute
ruleSetVersion	security_rule.version	Log Attribute
ruleId	security_rule.uuid	Log Attribute
ruleGroup	security_rule.ruleset.name	Log Attribute
message	Body	Log
action	security_rule.action	Log Attribute
site	azure.firewall.site	Log Attribute
details	azure.firewall.evaluation.details	Log Attribute
hostname	host.name	Log Attribute
transactionId	azure.service.request.id	Log Attribute
policyId	azure.firewall.policy.id	Log Attribute
policyScope	azure.firewall.policy.scope.type	Log Attribute
policyScopeName	azure.firewall.policy.object.name	Log Attribute

App Service

App Service App Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
containerId	container.id	Log Attribute
customLevel	log.record.severity.original	Log Attribute
exceptionClass	exception.type	Log Attribute
host	host.name	Log Attribute
logger	log.record.logger	Log Attribute
message	Body	Log
method	code.function.name	Log Attribute
source	log.file.path	Log Attribute
stackTrace	exception.stacktrace	Log Attribute
webSiteInstanceId	azure.app_service.instance.id	Log Attribute

App Service Audit Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
User	user.id	Log Attribute
UserDisplayName	user.name	Log Attribute
UserAddress	source.address	Log Attribute
Protocol	network.protocol.name	Log Attribute

App Service Authentication Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
details	azure.auth.event.details	Log Attribute
hostName	host.name	Log Attribute
message	Body	Log
moduleRuntimeVersion	azure.auth.module.runtime.version	Log Attribute
siteName	azure.app_service.site.name	Log Attribute
statusCode	http.response.status_code	Log Attribute
subStatusCode	azure.http.response.sub_status_code	Log Attribute
taskName	azure.app_service.task.name	Log Attribute

App Service Console Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
containerId	container.id	Log Attribute
host	host.name	Log Attribute

App Service HTTP Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
CIp	client.address + client.port. If unparsable - client.original_address	Log Attribute
ComputerName	server.address	Log Attribute
Cookie	Skipped as it may contains sensitive data, like authentication tokens	-
CsBytes	http.request.size	Log Attribute
CsHost	http.request.header.host	Log Attribute
CsMethod	http.request.method	Log Attribute
CsUriQuery	url.query	Log Attribute
CsUriStem	url.path	Log Attribute
CsUsername	user.name	Log Attribute
Referer	http.request.header.referer	Log Attribute
Result	Body	Log
ScBytes	http.response.size	Log Attribute
ScStatus	http.response.status_code	Log Attribute
ScSubStatus	azure.http.response.sub_status_code	Log Attribute
SPort	server.port	Log Attribute
TimeTaken	azure.request.duration	Log Attribute
UserAgent	user_agent.original	Log Attribute

App Service IPSec Audit Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
CIp	source.address + source.port. If unparsable - source.original_address	Log Attribute
CsHost	http.request.header.host	Log Attribute
details	azure.auth.event.details	Log Attribute
Result	Body	Log
ServiceEndpoint	azure.app_service.endpoint	Log Attribute
XAzureFDID	http.request.header.x-azure-fdid	Log Attribute
XFDHealthProbe	http.request.header.x-fd-healthprobe	Log Attribute
XForwardedFor	http.request.header.x-forwarded-for	Log Attribute
XForwardedHost	http.request.header.x-forwarded-host	Log Attribute

App Service Platform Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
containerId	container.id	Log Attribute
deploymentId	azure.deployment.id	Log Attribute
Exception	exception.message	Log Attribute
host	host.name	Log Attribute
message	Body	Log
stackTrace	exception.stacktrace	Log Attribute

App Service File Audit Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
path	file.path	Log Attribute
process	process.title	Log Attribute

Azure CDN

Azure CDN Access Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
trackingReference	azure.service.request.id	Log Attribute
httpMethod	http.request.method	Log Attribute
httpVersion	network.protocol.version	Log Attribute
requestUri	url.full with parsed url.scheme, url.domain, url.fragment, url.query, url.path and url.port. If unparsable - only url.original	Log Attribute
sni	tls.server.name	Log Attribute
requestBytes	http.request.size	Log Attribute
responseBytes	http.response.size	Log Attribute
userAgent	user_agent.original	Log Attribute
clientIp	client.address	Log Attribute
clientPort	client.port	Log Attribute
socketIp	network.peer.address	Log Attribute
timeToFirstByte	azure.time_to_first_byte	Log Attribute
timeTaken	azure.request.duration	Log Attribute
requestProtocol	network.protocol.name	Log Attribute
securityProtocol	tls.protocol.name + tls.protocol.version. If unparsable - tls.protocol.original	Log Attribute
httpStatusCode	http.response.status_code	Log Attribute
pop	azure.cdn.edge.name	Log Attribute
cacheStatus	azure.cdn.cache.outcome	Log Attribute
errorInfo	exception.type	Log Attribute
endpoint	network.local.address	Log Attribute
isReceivedFromClient	network.io.direction with value receive (if true) or transmit (if false)	Log Attribute
backendHostname	server.address + server.port. If unparsable - server.original_address	Log Attribute

Azure Messaging Logs (service Bus and EventHub Logs)

ApplicationMetricsLogs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
Environment	deployment.environment.name	Resource Attribute
Region	cloud.region	Resource Attribute
SubscriptionId	cloud.account.id	Resource Attribute
NamespaceName	service.namespace	Resource Attribute
EntityName	service.name	Resource Attribute
EntityType	messaging.system	Log Attribute
ScaleUnit	azure.autoscale.unit	Log Attribute
ActivityId	log.record.uid	Log Attribute
ActivityName	azure.operation.name	Log Attribute
ChildEntityType	- (not documented)	Log Attribute
ChildEntityName	- (not documented)	Log Attribute
PartitionId	messaging.destination.partition.id	Log Attribute
Outcome	error.type (in not eq "Success")	Log Attribute
Protocol	network.protocol.name	Log Attribute
AuthType	azure.auth.type	Log Attribute
AuthId	azure.auth.id	Log Attribute
NetworkType	network.connection.type	Log Attribute
ClientIp	client.address	Log Attribute
Count	messaging.message.count	Log Attribute
Properties.ApplicationGroupName	- (not documented)	Log Attribute

DiagnosticErrorLogs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
Environment	deployment.environment.name	Resource Attribute
Region	cloud.region	Resource Attribute
SubscriptionId	cloud.account.id	Resource Attribute
NamespaceName	service.namespace	Resource Attribute
EntityName	service.name	Resource Attribute
EntityType	messaging.system	Log Attribute
ScaleUnit	azure.autoscale.unit	Log Attribute
ActivityId	log.record.uid	Log Attribute
ActivityName	azure.operation.name	Log Attribute
TaskName	azure.messaging.task.name	Log Attribute
OperationResult	error.type	Log Attribute
ErrorMessage	error.message	Log Attribute
ErrorCount	azure.messaging.error.count	Log Attribute

OperationalLogs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
Environment	deployment.environment.name	Resource Attribute
Region	cloud.region	Resource Attribute
SubscriptionId	cloud.account.id	Resource Attribute
NamespaceName	service.namespace	Resource Attribute
EntityName	service.name	Resource Attribute
- (from ResourceID)	messaging.system	Log Attribute
ScaleUnit	azure.autoscale.unit	Log Attribute
ActivityId	log.record.uid	Log Attribute
EventName	azure.operation.name	Log Attribute
Status	error.type (if not eq "Succeeded")	Log Attribute
Caller	client.type	Log Attribute
EventProperties.SubscriptionId	- (duplicates high level attributes)	-
EventProperties.Namespace	- (duplicates high level attributes)	-
EventProperties.Via	url.full with parsed url.scheme, url.domain, url.fragment, url.query, url.path and url.port. If unparsable - only url.original	Log Attribute
EventProperties.TrackingId	azure.service.request.id	Log Attribute
EventProperties.ErrorCode	error.code	Log Attribute
EventProperties.ErrorMessage	error.message	Log Attribute

RuntimeAuditLogs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
Environment	deployment.environment.name	Resource Attribute
Region	cloud.region	Resource Attribute
SubscriptionId	cloud.account.id	Resource Attribute
NamespaceName	service.namespace	Resource Attribute
EntityName	service.name	Resource Attribute
EntityType	messaging.system	Log Attribute
ScaleUnit	azure.autoscale.unit	Log Attribute
ActivityId	log.record.uid	Log Attribute
ActivityName	azure.operation.name	Log Attribute
TaskName	azure.messaging.task.name	Log Attribute
Status	error.type (if not eq "Success")	Log Attribute
Protocol	network.protocol.name	Log Attribute
AuthType	azure.auth.type	Log Attribute
AuthId	azure.auth.id	Log Attribute
NetworkType	network.connection.type	Log Attribute
ClientIp	client.address	Log Attribute
Count	messaging.message.count	Log Attribute
Properties	Body (unparsed, as-is)	Log

VNetAndIPFilteringLogs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
Environment	deployment.environment.name	Resource Attribute
Region	cloud.region	Resource Attribute
SubscriptionId	cloud.account.id	Resource Attribute
NamespaceName	service.namespace	Resource Attribute
- (from ResourceID)	messaging.system	Log Attribute
ScaleUnit	azure.autoscale.unit	Log Attribute
ActivityId	log.record.uid	Log Attribute
EventName	azure.operation.name	Log Attribute
ipAddress	client.address	Log Attribute
action	security_rule.action	Log Attribute
reason	security_rule.evaluation.reason	Log Attribute
count	security_rule.evaluation.count	Log Attribute

Azure Data Factory

ActivityRuns Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
start	azure.datafactory.activity.start_time	Log Attribute
end	azure.datafactory.activity.end_time	Log Attribute
UserProperties	azure.datafactory.user_properties	Log Attribute
Annotations	azure.datafactory.annotations	Log Attribute
Input	azure.datafactory.input	Log Attribute
Output	azure.datafactory.output	Log Attribute
Predecessors	azure.datafactory.predecessors	Log Attribute
Parameters	azure.datafactory.parameters	Log Attribute
SystemParameters	azure.datafactory.system_parameters	Log Attribute
Tags	azure.datafactory.tags	Log Attribute
Error.errorCode	error.code	Log Attribute
Error.message	error.message	Log Attribute
Error.failureType	error.type	Log Attribute
Error.target	error.target	Log Attribute
activityRunId	azure.datafactory.activity.run_id	Log Attribute
activityName	azure.datafactory.activity.name	Log Attribute
pipelineRunId	azure.datafactory.pipeline.run_id	Log Attribute
pipelineName	azure.datafactory.pipeline.name	Log Attribute

PipelineRuns Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
start	azure.datafactory.pipeline.start_time	Log Attribute
end	azure.datafactory.pipeline.end_time	Log Attribute
UserProperties	azure.datafactory.user_properties	Log Attribute
Annotations	azure.datafactory.annotations	Log Attribute
Input	azure.datafactory.input	Log Attribute
Output	azure.datafactory.output	Log Attribute
Predecessors	azure.datafactory.predecessors	Log Attribute
Parameters	azure.datafactory.parameters	Log Attribute
SystemParameters	azure.datafactory.system_parameters	Log Attribute
Tags	azure.datafactory.tags	Log Attribute
Error.errorCode	error.code	Log Attribute
Error.message	error.message	Log Attribute
Error.failureType	error.type	Log Attribute
Error.target	error.target	Log Attribute
runId	azure.datafactory.pipeline.run_id	Log Attribute
pipelineName	azure.datafactory.pipeline.name	Log Attribute
status	``	Log Attribute

TriggerRuns Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
start	azure.datafactory.trigger.start_time	Log Attribute
end	azure.datafactory.trigger.end_time	Log Attribute
UserProperties	azure.datafactory.user_properties	Log Attribute
Annotations	azure.datafactory.annotations	Log Attribute
Input	azure.datafactory.input	Log Attribute
Output	azure.datafactory.output	Log Attribute
Predecessors	azure.datafactory.predecessors	Log Attribute
Parameters	azure.datafactory.parameters	Log Attribute
SystemParameters	azure.datafactory.system_parameters	Log Attribute
Tags	azure.datafactory.tags	Log Attribute
Error.errorCode	error.code	Log Attribute
Error.message	error.message	Log Attribute
Error.failureType	error.type	Log Attribute
Error.target	error.target	Log Attribute
triggerId	azure.datafactory.trigger.run_id	Log Attribute
triggerName	azure.datafactory.trigger.name	Log Attribute
triggerType	azure.datafactory.trigger.type	Log Attribute
triggerEvent	azure.datafactory.trigger.event_payload	Log Attribute
status	azure.datafactory.pipeline.state	Log Attribute

Front Door

Front Door Web Application Firewall Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
clientIP	client.address	Log Attribute
clientPort	client.port	Log Attribute
socketIP	network.peer.address	Log Attribute
requestUri	url.full with parsed url.scheme, url.domain, url.fragment, url.query, url.path and url.port. If unparsable - only url.original	Log Attribute
ruleName	security_rule.name	Log Attribute
policy	security_rule.ruleset.name	Log Attribute
action	security_rule.action	Log Attribute
host	http.request.header.host	Log Attribute
trackingReference	azure.service.request.id	Log Attribute
policyMode	security_rule.ruleset.mode	Log Attribute

Front Door Health Probe Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
healthProbeId	azure.frontdoor.health_probe.id	Log Attribute
POP	azure.cdn.edge.name	Log Attribute
httpVerb	http.request.method	Log Attribute
result	Body	Log
httpStatusCode	http.response.status_code	Log Attribute
probeURL	url.full with parsed url.scheme, url.domain, url.fragment, url.query, url.path and url.port. If unparsable - only url.original	Log Attribute
originName	azure.frontdoor.health_probe.origin.name	Log Attribute
originIP	server.address + server.port. If unparsable - server.original_address	Log Attribute
totalLatencyMilliseconds	azure.frontdoor.health_probe.origin.latency.total	Log Attribute
connectionLatencyMilliseconds	azure.frontdoor.health_probe.origin.latency.connection	Log Attribute
DNSLatencyMicroseconds	azure.frontdoor.health_probe.origin.latency.dns	Log Attribute

Front Door Access Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
trackingReference	azure.service.request.id	Log Attribute
httpMethod	http.request.method	Log Attribute
httpVersion	network.protocol.version	Log Attribute
requestUri	url.full with parsed url.scheme, url.domain, url.fragment, url.query, url.path and url.port. If unparsable - only url.original	Log Attribute
sni	tls.server.name	Log Attribute
requestBytes	http.request.size	Log Attribute
responseBytes	http.response.size	Log Attribute
userAgent	user_agent.original	Log Attribute
clientIp	client.address	Log Attribute
clientPort	client.port	Log Attribute
socketIp	network.peer.address	Log Attribute
timeToFirstByte	azure.time_to_first_byte	Log Attribute
timeTaken	azure.request.duration	Log Attribute
requestProtocol	network.protocol.name	Log Attribute
securityProtocol	tls.protocol.name + tls.protocol.version. If unparsable - tls.protocol.original	Log Attribute
httpStatusCode	http.response.status_code	Log Attribute
pop	azure.cdn.edge.name	Log Attribute
cacheStatus	azure.cdn.cache.outcome	Log Attribute
errorInfo	exception.type	Log Attribute
endpoint	network.local.address	Log Attribute
hostName	http.request.header.host	Log Attribute
securityCurves	tls.curve	Log Attribute
securityCipher	tls.cipher	Log Attribute
OriginIP	server.address + server.port. If unparsable - server.original_address	Log Attribute

Function App Logs

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
activityId	log.record.uid	Log Attribute
appName	service.name	Resource Attribute
category	- (duplicates high level attributes)	-
eventId	azure.event.id	Log Attribute
eventName	azure.event.name	Log Attribute
exceptionDetails	exception.stacktrace	Log Attribute
exceptionMessage	exception.message	Log Attribute
exceptionType	exception.type	Log Attribute
functionInvocationId	faas.invocation_id	Log Attribute
appName/functionName	faas.name	Log Attribute
functionName	faas.invoked_name	Log Attribute
hostInstanceId	host.id	Log Attribute
hostVersion	host.image.version	Log Attribute
level	- (duplicates high level attributes)	-
levelId	- (duplicates high level attributes)	-
message	Body	Log
processId	process.pid	Log Attribute
roleInstance	service.instance.id	Resource Attribute
-	faas.invoked_provider=azure	Log Attribute

Storage Blob Logs (StorageRead, StorageWrite, StorageDelete)

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
statusCode	http.response.status_code	Log Attribute
statusText	http.response.status_text	Log Attribute
uri	url.full with parsed url.scheme, url.domain, url.fragment, url.query, url.path and url.port. If unparsable - only url.original	Log Attribute
protocol	network.protocol.name	Log Attribute
accountName	azure.storage.namespace	Log Attribute
userAgentHeader	user_agent.original	Log Attribute
clientRequestId	azure.service.request.id	Log Attribute
serverLatencyMs	azure.response.duration	Log Attribute
serviceType	azure.storage.service.type	Log Attribute
operationCount	azure.storage.operation.count	Log Attribute
requestHeaderSize	http.request.header.size	Log Attribute
requestBodySize	http.request.body.size	Log Attribute
responseHeaderSize	http.response.header.size	Log Attribute
responseBodySize	http.response.body.size	Log Attribute
tlsVersion	tls.protocol.name + tls.protocol.version. If unparsable - tls.protocol.original	Log Attribute
objectKey	azure.storage.object.key	Log Attribute
sourceAccessTier	azure.storage.source.access_tier	Log Attribute

Activity Logs

Activity Logs are a type of Azure platform log that provides insight into subscription-level events. The following categories are supported:

Administrative

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
entity	azure.administrative.entity	Log Attribute
message	azure.administrative.message	Log Attribute
hierarchy	azure.administrative.hierarchy	Log Attribute

Alert

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
webHookUri	azure.alert.webhook.uri	Log Attribute
RuleUri	azure.alert.rule.uri	Log Attribute
RuleName	azure.alert.rule.name	Log Attribute
RuleDescription	azure.alert.rule.description	Log Attribute
Threshold	azure.alert.threshold	Log Attribute
WindowSizeInMinutes	azure.alert.window_size_minutes	Log Attribute
Aggregation	azure.alert.aggregation	Log Attribute
Operator	azure.alert.operator	Log Attribute
MetricName	azure.alert.metric.name	Log Attribute
MetricUnit	azure.alert.metric.unit	Log Attribute

Autoscale

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
Description	azure.autoscale.description	Log Attribute
ResourceName	azure.autoscale.resource.name	Log Attribute
OldInstancesCount	azure.autoscale.instances.previous_count	Log Attribute
NewInstancesCount	azure.autoscale.instances.count	Log Attribute
LastScaleActionTime	azure.autoscale.resource.last_scale	Log Attribute

Security

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
commandLine	process.command_line	Log Attribute
processName	process.executable.path	Log Attribute
userName	process.owner	Log Attribute
UserSID	enduser.id	Log Attribute
processId	process.pid	Log Attribute
parentProcess id	process.parent_pid	Log Attribute
accountLogonId	azure.security.account_logon_id	Log Attribute
domainName	azure.security.domain_name	Log Attribute
ActionTaken	azure.security.action_taken	Log Attribute
Severity	azure.security.severity	Log Attribute

Policy

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
isComplianceCheck	azure.policy.compliance_check	Log Attribute
resourceLocation	azure.location	Log Attribute
ancestors	azure.policy.ancestors	Log Attribute
hierarchy	azure.policy.hierarchy	Log Attribute
policies	azure.policy.policies (parsed as structured array)	Log Attribute

Recommendation

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
recommendationSchemaVersion	azure.recommendation.schema_version	Log Attribute
recommendationCategory	azure.recommendation.category	Log Attribute
recommendationImpact	azure.recommendation.impact	Log Attribute
recommendationName	azure.recommendation.name	Log Attribute
recommendationResourceLink	azure.recommendation.link	Log Attribute
recommendationType	azure.recommendation.type	Log Attribute
recommendationRisk	azure.recommendation.risk	Log Attribute

Service Health

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
title	azure.servicehealth.title	Log Attribute
service	azure.servicehealth.service	Log Attribute
region	azure.servicehealth.region	Log Attribute
communication	azure.servicehealth.communication.body	Log Attribute
communicationId	azure.servicehealth.communication.id	Log Attribute
incidentType	azure.servicehealth.incident.type	Log Attribute
trackingId	azure.servicehealth.tracking.id	Log Attribute
impactStartTime	azure.servicehealth.impact.start	Log Attribute
impactMitigationTime	azure.servicehealth.impact.mitigation	Log Attribute
impactedServices	azure.servicehealth.impact.services (parsed as structured array)	Log Attribute
impactType	azure.servicehealth.impact.type	Log Attribute
impactCategory	azure.servicehealth.impact.category	Log Attribute
defaultLanguageTitle	azure.servicehealth.default_language.title	Log Attribute
defaultLanguageContent	azure.servicehealth.default_language.content	Log Attribute
stage	azure.servicehealth.state	Log Attribute
maintenanceId	azure.servicehealth.maintenance.id	Log Attribute
maintenanceType	azure.servicehealth.maintenance.type	Log Attribute
isHIR	azure.servicehealth.is_hir	Log Attribute
IsSynthetic	azure.servicehealth.is_synthetic	Log Attribute

Resource Health

Azure "properties" Field	OpenTelemetry	OpenTelemetry Scope
title	azure.resourcehealth.title	Log Attribute
details	azure.resourcehealth.details	Log Attribute
currentHealthStatus	azure.resourcehealth.state	Log Attribute
previousHealthStatus	azure.resourcehealth.previous_state	Log Attribute
type	azure.resourcehealth.type	Log Attribute
cause	azure.resourcehealth.cause	Log Attribute