AmistadGroup- AmistadGroup
Azure Automation: Enable Diagnostic Settings
Azure Diagnostic Logs are logs emitted by a resource that provide rich, frequent data about the operation of that resource. To enable Azure Diagnostic Settings you can do this manually by Azure Portal or by PowerShell/CLI via Azure Cloud Shell.
Initially, when I looked at this topic I created a PowerShell script in Azure Automation to do this task automatically, I mean I was looking for an automated solution to enable logs to be sent to a log analytics workspace and also to a storage account. For each resource that I have on a subscription, I enabled Azure Diagnostic Settings using this piece of code
Set-AzDiagnosticSetting `
-Name "LogAnalyticsName" `
-ResourceId "LogAnalyticsResourceID" `
-Enabled $true `
-WorkspaceId "WorkspaceAccountID"
Set-AzDiagnosticSetting `
-Name "DiagnosticSettingsName" `
-ResourceId "ResourceIDForWhichYouEnableDiagnosticSettings" `
-Enabled $true `
-RetentionEnabled $true `
-RetentionInDays "90" `
-StorageAccountId "StorageAccountID"
As you can see with this piece of code I enable the logs to be sent to a Log Analytics Workspace and also to a storage account where to keep them for a period of 90 days.
Everything was fine for a very long period of time until a new release was deployed and suddenly diagnostic settings were no longer enabled and the retention period was no longer enforced.
I started troubleshooting this issue because I really wanted to have this implemented automatically by my PowerShell script way.
Finally, I managed to resolve this issue by understanding the fact that I need to go into each diagnostic settings category or metrics to enable and also enable the retention period, and for that, I used this piece of code
For storage account
$azdiag = Get-AzDiagnosticSetting -ResourceId "ResourceIDForEachYouWantToEnableDiagnosticSettings"
$azdiagLogs = $azdiag.Logs
foreach ($azdiagLog in $azdiagLogs) {
Set-AzDiagnosticSetting `
-Name "CategoryDiagnosticSettingsName" `
-ResourceId "ResourceIDForEachYouWantToEnableDiagnosticSettings" `
-Enabled $True `
-EnableLog $True `
-Category $azdiagLog.Category `
-StorageAccountId "StorageAccountID" `
-RetentionEnabled $true `
-RetentionInDays 10
}
$azdiagMetrics = $azdiag.Metrics
foreach ($azdiagMetric in $azdiagMetrics) {
Set-AzDiagnosticSetting `
-Name "MetricDiagnosticSettingsName" `
-ResourceId "ResourceIDForEachYouWantToEnableDiagnosticSettings" `
-Enabled $True `
-EnableMetrics $True `
-MetricCategory $azdiagMetric.Category `
-StorageAccountId $storageID `
-RetentionEnabled $True `
-RetentionInDays 10
}
For Log Analytics Workspace
$azdiag = Get-AzDiagnosticSetting -ResourceId "ResourceIDForEachYouWantToEnableDiagnosticSettings"
$azdiagLogs = $azdiag.Logs
foreach ($azdiagLog in $azdiagLogs) {
Set-AzDiagnosticSetting `
-Name "CategoryDiagnosticSettingsName" `
-ResourceId "ResourceIDForEachYouWantToEnableDiagnosticSettings" `
-Enabled $True `
-EnableLog $True `
-Category $azdiagLog.Category `
-WorkspaceId "WokspaceAccountID"
}
$azdiagMetrics = $azdiag.Metrics
foreach ($azdiagMetric in $azdiagMetrics) {
Set-AzDiagnosticSetting `
-Name "MetricDiagnosticSettingsName" `
-ResourceId "ResourceIDForEachYouWantToEnableDiagnosticSettings" `
-Enabled $True `
-EnableMetrics $True `
-MetricCategory $azdiagMetric.Category `
-WorkspaceId "WokspaceAccountID"
}
This is was the solution that I implemented and is working as expected.
This is how I enable NSG flow logs using Azure Automation PowerShell script
$nsgs = Get-AzNetworkSecurityGroup -ResourceGroupName "ResourceGroupName"
foreach ($nsg in $nsgs) {
Set-AzNetworkWatcherConfigFlowLog `
-NetworkWatcher "SubscriptionNetwrokWatcherDeployment" `
-TargetResourceId "NSGResourceID" `
-EnableFlowLog $True `
-StorageAccountId "StorageAccountID" `
-EnableRetention $True `
-RetentionInDays 10 `
-EnableTrafficAnalytics:$True `
-Workspace "LoganalyticsWorkspaceAccount" `
-TrafficAnalyticsInterval 60
}
This is how I enable SQL Server Audit using Azure Automation PowerShell script
Set-AzSqlServerAudit `
-ResourceGroupName "ResourceGroupName" `
-ServerName "SQLServerName" `
-BlobStorageTargetState Enabled `
-StorageAccountResourceId "StorageAccountID" `
-RetentionInDays 10 `
-LogAnalyticsTargetState Enabled `
-WorkspaceResourceId "LoganalyticsWorkspaceAccount"Azure Diagnostic Settings could not be enabled on all resources and that is the reason why you need to include this in you script also https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-categories
For more details about Azure Diagnostics Settings please check this link also https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview and https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings
Thank you!
AmistadGroup IT Team