How to send Azure storage account activity logs to Azure Log analytics workspace

Question

I have a requirement to retain logs for few years for compliance purposes for all resources in a resource group (key vault, storage account, azure automation, VMs, backup vault, etc). I created a log analytics workspace and set the required retention on it.

I tried sending the Storage account logs to this log analytics workspace using the command below but got the error:- Command:-

az monitor diagnostic-settings create --name Test-SA-Diagnostics --storage-account $Log_SA_ID --resource $ResourceID --resource-group $RESOURCE_GROUP_NAME --logs '[{"category": StorageWrite}]'

Error:-
Failed to parse JSON: [{"category": StorageWrite}]

Is the correct way of transferring logs to Log analytics workspace? I even ran the command to list the categories for storage account. And change the "category" value in the command to those as well, but still got the invalid category or the above error.

What is the correct method for sending logs to log analytics workspace? Or even to a storage account as I just need this for log retention to meet the compliance requirements.

Answer 1

You have a couple issues. The first is you are not escaping your quotes properly. The command should be something like this:

az monitor diagnostic-settings create --name Test-SA-Diagnostics --storage-account $Log_SA_ID --resource $ResourceID --resource-group $RESOURCE_GROUP_NAME --logs '[{\"category\": \"StorageWrite\"}]'

But that command could also fail if you are sending it the ResourceID of the Storage Account and not the ResourceID of Blob service.

Finally, if you wish to send the logs to a Log Analytics workspace, you need to specify the WorkspaceID in the command like so:

az monitor diagnostic-settings create -n 'toLogAnalytics' --resource $rid --workspace $wsid 

Full Example

#PARAMETERS
# Name of Storage Account 
$stracct = "mystorageaccount"
# Name of Log Analytics Workspace (case sensitive)
$wsname = "MyWorkspaceName"

## VARIABLES
# Get Storage Account ResourceID
$rid = (az resource list --query "[?name=='$stracct'].id" --output tsv)
# Make Blob Service ResourceID
$rid = $rid + "/blobServices/default"
# Get Storage Account Resource Group name
$rg = (az resource list --query "[?name=='$stracct'].resourceGroup" --output tsv)
# Get Log Analytics WS ID
$wsid = (az resource list --query "[?name=='$wsname'].id" --output tsv)

#ACTIONS
# Enable monitoring to LA for Blob Storage Service
az monitor diagnostic-settings create --name setting3 --workspace $wsid --resource $rid --logs '[{\"category\": \"StorageRead\", \"enabled\": true}]'

Reference

• https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-cli#send-logs-to-log-analytics-1
• https://learn.microsoft.com/cli/azure/use-cli-effectively#quoting-issues

Answer 2

To answer Your question , we have tested in our local environment

az monitor diagnostic-settings create --name Test-SA-Diagnostics --storage-account $Log_SA_ID --resource $ResourceID --resource-group $RESOURCE_GROUP_NAME --logs '[{"category": StorageWrite}]'

You need to pass category value in double quotation as show below

--logs '[{"category": "StorageWrite"}]'

You can use either CLI method or portal GUI to transfer the logs from storage account to log analytic workspace based on your requirement.

Here is reference document to create diagnostic settings to send platform metric & logs to different destinations through CLI cmdlet & using portal GUI.