Find SKU of deployed resources in Log Analytics - Azure Activity - azure

I have configured the following Kusto query to gather info of Azure deployments in our subscription.
AzureActivity
| where ResourceProviderValue startswith "Microsoft.resources"
| where ActivitySubstatusValue contains "Created"
This query will display various information about new deployments across all resource providers. These are the columns that are included when running the query:
TenantId, SourceSystem, CallerIpAddress, CategoryValue, CorrelationId, Authorization, Authorization_d, Claims, Claims_d, Level, OperationNameValue, Properties, Properties_d, Caller, EventDataId, EventSubmissionTimestamp, HTTPRequest, OperationId, ResourceGroup, ResourceProviderValue, ActivityStatusValue, ActivitySubstatusValue, Hierarchy, TimeGenerated, SubscriptionId, OperationName, ActivityStatus, ActivitySubstatus, Category, ResourceId, ResourceProvider, Resource, Type, _ResourceId
however not the SKU of the deployed resource.
I want to monitor the deployed resources in a subscription, including SKU's. Is it possible to include the SKU of deployed resources of all resource providers in a Log Analytics query from Azure Activity logs?

We have tested this in our local environment , Below analysis are based on our observations.
The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started.
Is it possible to include the SKU of deployed resources of all
resource providers in a Log Analytics query from Azure Activity logs?
No it is not possible,To validate this we have created a NetworkSecurityGroup & DataDisk in our subscription.
when we are trying to fetch those resources logs using AzureActivity table & applying a filter of ResourceProviderValue == "MICROSOFT.RESOURCES" the actual Names for those resources that are passed by the user while creating are not getting populated as shown below.
Instead of using ResourceProviderValue == "MICROSOFT.RESOURCES" if you use the resource specific resource provider of the resource that you are deploying then you will be able to pull the SKU of that resource.
Here Disk comes under Microsoft.Compute resource provider if we apply some additional filters to the above AzureActivity log we can pull the sku of the particular resource.

Related

Azure AKS container logs location in storage account

I want to be able to find specific logs from AKS container, that have diagnostic configured for storage account. I'm able to generate this kind of query from log analytics:
ContainerLog
| join kind = inner KubePodInventory on $left.ContainerID == $right.CointainerID
| where Namespace == "default" and LogEntry contains "error"
| project TimeGenerated, LogEntry, ContainerName
showing me container logs, yet I'm not able to find same output in actual log files, saved in storage account. Shouldn't both reciever services have same logs available? Here's the list of log types that aks cluster generates.
Here's the output from log analytics query:

What do the fields mean in the Azure Pricing REST API?

I wish to use the Azure Pricing REST API. It lists several fields:
Filters are supported for the following fields:
armRegionName, Location, meterId, meterName, productid, skuId, productName, skuName,
serviceName, serviceId, serviceFamily, priceType, armSkuName
Where do I find information about what these fields mean?
Is there a way to find the productName, skuName, etc. of a virtual machine that I have created on Azure?
Where do I find information about what these fields mean?
The Azure Retail Prices overview has a description of all the fields.
Is there a way to find the productName, skuName, etc. of a virtual machine that I have created on Azure?
Locate the VM in the Azure portal and check Overview > Size. The size, e.g. Standard D2s v3, corresponds with the (arm)SkuName property returned by the API. Note that the portal doesn't include all the details, so you could try Azure CLI, e.g. az resource show -g MyResourceGroup -n MyVm --resource-type "Microsoft.Compute/virtualMachines", to display more details of the specified resource.
What are you trying to accomplish?
From my best guess:
armRegionName - thats a id of region that you will use in ARM templates and Azure APis.
Location - thats a human readable name of region
meterId - Thats an id of how it will show up in your or consumption reports
meterName - same as above but human readable
productid - As I understand thats service + license. VM + Windows or + MSSQL
productName - same as above
skuId: Thats I believe and ID from Microsoft's license or contract entities
skuName: same as above
serviceId: Id of sub group of Service Family
serviceName: just a sub group of Service Family: Virtual Machines and etc
serviceFamily: just a group of services like Compute, Storage and etc
priceType - same as Type with values: DevTestConsumption, Reservation, Consumption
armSkuName - thats VM id that you will see in ARM templates or should use in Azure API calls.

Policy to connect subscription's activity logs to log analytics

I'm looking for custom policy to connect and get activity/audit logs from Azure to Log Analytics workspace. There are not build in policy to this so it would need to be done with custom policy. Has anybody created or seen this kinda policy because I have not been able to find? Policy should be AuditIfNotExists and should take Log Analytics workspace as a parameter. I'm not policy specialist so finding policy, would help a lot.
There is no policy to set this up but it is possible to set it up. I got this information from this tutorial:
"The Azure policy compliance status is logged in the Azure subscription’s Activity logs. The Azure Log Analytics workspace can be configured to collect Azure Activity logs from any subscriptions in the same tenant. Azure Monitor alert rules can then be created to execute queries in the Log Analytics workspace on a schedule and generate alerts when non-compliant resources are detected by the query. "
Connect log Analytics workspace to desired subscription
Add Kusto queries in the workspace to get information needed:
Here is an example of a kusto query for Get a list of non-compliant resources from a single policy (using “audit-resources-without-tags-policyDef” definition as an example):
let policyDefId = 'audit-resources-without-tags-policyDef'; AzureActivity | where Category == 'Policy' and Level != 'Informational' | extend p=todynamic(Properties) | extend policies=todynamic(tostring(p.policies)) | mvexpand policy = policies | where policy.policyDefinitionName in (policyDefId) | distinct ResourceId
You can set up alerts using Azure Monitor with a custom log search

Track Resource deletion from Azure ActivityLog in LogAnalytics

I am trying to alert/visualize Resource changes like creation/deletion of Azure resources using Log Analytics/OMS.
I am able to find new deployments using:
AzureActivity
| where ActivityStatus == 'Succeeded' and OperationNameValue contains 'Microsoft.Resources/deployments/write'
and VM start/stop also is traceable.
However, i do not see any logs when a VM is deleted from a resource group. I checked in the resource group Activity logs too, however such an important event doesnt seem to be tracked properly. Only thing I find is the deletion of shutdown schedules as part of VM deletion, however this isnt a reliable indicator.
How can I track resource deletions using Log Analytics?
You can set up an alert when the vm is deleted in log analytics.
Nav to azure portal, your log analytics -> in the left blade, select Alerts -> New alert rule-> in the new page, select your vm as resource -> then in the condition, add an condition: Delete Virtual Machine.

Run an arbitrary Azure provider operation

In the Azure CLI resource manager, we can list providers and their operations.
azure provider list
azure provider operations show Microsoft.Web/sites/*
How do we run one of the listed operations. For instance, how would we run this:
Operation : Microsoft.Web/sites/sourcecontrols/web/Read
OperationName : Get Web App's source control configuration
ProviderNamespace : Microsoft Web Apps
ResourceName : Web App Source Control
Description : Get Web App's source control configuration settings.
The purpose of azure provider operations show is to display operations that are supported by the various providers so that you can use them to create custom Role Based Access Control (RBAC) roles. They are not actual commands or endpoints that can be executed.
To create a custom RBAC role, you first create a JSON file describing the role and operations allowed by the role, then pass the file to azure role create.
More details here.. https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-azure-cli/#create-a-custom-role

Resources