Khanh
Reputation: 1
Create a policy to deploy the diagnostic setting to both Log Analytic workspace and storage account
I want to write a policy to deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events and at the same time archive to a storage account. Or a policy to deploy the diagnostic settings for Azure Activity to store log at storage account. I try to run my code but it's just noti block
{
"properties": {
"displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace",
"mode": "All",
"description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"parameters": {
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Primary Log Analytics workspace",
"description": "If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace",
"assignPermissions": true
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"logsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable logs",
"description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
},
"existingDiagnosticsStorageAccountName": {
"type": "string",
"metadata": {
"description": "Specify the name of an existing storage account for diagnostics."
}
},
"existingDiagnosticsStorageAccountResourceGroup": {
"type": "string",
"metadata": {
"description": "Specify the resource group name of an existing storage account for diagnostics."
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"deploymentScope": "Subscription",
"existenceScope": "Subscription",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "[parameters('logsEnabled')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
},
{
"field":"Microsoft.Insights/diagnosticSettings/storageAccountId",
"equals":"[parameters('existingDiagnosticsStorageAccountName')]"
}
]
},
"deployment": {
"location": "southeastasia",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logAnalytics": {
"type": "string"
},
"logsEnabled": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"name": "DiagnosticToSubscription",
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"location": "Global",
"properties": {
"workspaceId": "[parameters('logAnalytics')]",
"logs": [
{
"category": "Administrative",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Security",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "ServiceHealth",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Alert",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Recommendation",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Policy",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Autoscale",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "ResourceHealth",
"enabled": "[parameters('logsEnabled')]"
}
],
"storageAccountId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('existingDiagnosticsStorageAccountResourceGroup')), 'Microsoft.Storage/storageAccounts', parameters('existingDiagnosticsStorageAccountName'))]",
"metrics": [
{
"timeGrain": "AllMetrics",
"enabled": "[parameters('diagnosticsEnabled')]",
"retentionPolicy": {
"days": 90,
"enabled": "[parameters('diagnosticsEnabled')]"
}
}
]
}
}
],
"outputs": {}
},
"parameters": {
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
},
"logsEnabled": {
"value": "[parameters('logsEnabled')]"
},
"existingDiagnosticsStorageAccountResourceGroup": {
"value": "[parameters('existingDiagnosticsStorageAccountResourceGroup')]"
},
"existingDiagnosticsStorageAccountName": {
"value": "[parameters('existingDiagnosticsStorageAccountName')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
]
}
}
}
}
}Upvotes: 0
Views: 1105
Answers (1)
AjayKumarGhose
Reputation: 4923
To achieve the above requirement you may follow the below workaround.
ARM TEMPLATE:-
{
"properties": {
"displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics",
"mode": "Indexed",
"description": "Deploys the diagnostic settings for Storage Accounts to log read/write/delete and retain logs.",
"metadata": {
"category": "Monitoring"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"profileName": {
"type": "String",
"metadata": {
"displayName": "Profile Name",
"description": "The diagnostic setting profile name"
},
"default": "setbypolicy_logAnalytics"
},
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace",
"assignPermissions": true
}
},
"metricsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable metrics",
"description": "Whether to enable metrics stream to the Event Hub - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "False"
},
"logsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable logs",
"description": "Whether to enable logs stream to the Event Hub - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[parameters('profileName')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "parameters('logsEnabled')"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "parameters('metricsEnabled')]"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string"
},
"logAnalytics": {
"type": "string"
},
"location": {
"type": "string"
},
"metricsEnabled": {
"type": "string"
},
"logsEnabled": {
"type": "string"
},
"profileName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"workspaceId": "[parameters('logAnalytics')]",
"metrics": [
{
"category": "AllMetrics",
"enabled": true,
"retentionPolicy": {
"enabled": true,
"days": 365
}
}
],
"logs": [
{
"category": "Audit",
"enabled": true
},
{
"category": "Requests",
"enabled": true
}
]
}
}
],
"outputs": {}
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
},
"profileName": {
"value": "[parameters('profileName')]"
},
"metricsEnabled": {
"value": "[parameters('metricsEnabled')]"
},
"logsEnabled": {
"value": "[parameters('logsEnabled')]"
},
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
}
}
}
}
}
}
}
}
}
For for information please refer this MICROSOFT DOCUMENTATION
Upvotes: 0
Related Questions
- Enable diagnostic settings for Storage account using ARMTemplate
- Enable diagnostic settings for Storage account using Azure Policy Definition
- Diagnostic Logs (Storage) not showing up in Azure Storage Account
- Azure Gateway ARM template to configure diagnostic setting (Log Analytics workspace)
- ARM template - configure diagnostics logs
- Diagnostics Logging for Application Insights Service in Azure
- Enable diagnostics for Azure Storage Account using PowerShell commands
- Azure - Enable diagnostics for worker/web role
- Azure Diagnostics- is there a way to override default storage
- How is Azure Diagnostics storage account configured?