I've created a Free Tier Azure account. I have events in my Azure Monitor Activity Log (Get Namespace Listkeys, etc) and clicking on these events allows me to see their JSON. I have selected "Export to Event Hub", selected "All regions", checked "Export to an event hub" and set up the namespace and policy name. The policy is the Root shared policy which has Manage, Send, Listen checked. This creates the "insights-operational-logs" event hub automatically.
I'm using the azure golang client (https://github.com/Azure/azure-event-hubs-go) to query this event hub but I'm not seeing the ActivityLog events in the client. I do receive diagnostic logs with categories like "Action", and "Write" but not the logs I can see in the ActivityLog monitor with categories like "Administrative".
What am I missing? Why are these events not reaching my client?
It turns out the Activity Logs are actually mutated before they are sent to the event hub. There is a small reference to this in the documentation (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export#activity-log-schema). I was expecting Activity Logs to be sent to the event hub as they appear in the JSON pane of the Activity Monitor, but that appears to not be how the "Export to Event Hub" feature works. The Activity Log is converted into several smaller "Action" logs that describe each stage of the Activity, i.e. whether it was "Started", "Succeeded", or "Failed". These together represent one Activity Log, but the schema is different.