I'm looking for custom policy to connect and get activity/audit logs from Azure to Log Analytics workspace. There are not build in policy to this so it would need to be done with custom policy. Has anybody created or seen this kinda policy because I have not been able to find? Policy should be AuditIfNotExists and should take Log Analytics workspace as a parameter. I'm not policy specialist so finding policy, would help a lot.
There is no policy to set this up but it is possible to set it up. I got this information from this tutorial:
"The Azure policy compliance status is logged in the Azure subscription’s Activity logs. The Azure Log Analytics workspace can be configured to collect Azure Activity logs from any subscriptions in the same tenant. Azure Monitor alert rules can then be created to execute queries in the Log Analytics workspace on a schedule and generate alerts when non-compliant resources are detected by the query. "
Connect log Analytics workspace to desired subscription
Add Kusto queries in the workspace to get information needed:
Here is an example of a kusto query for Get a list of non-compliant resources from a single policy (using “audit-resources-without-tags-policyDef” definition as an example):
let policyDefId = 'audit-resources-without-tags-policyDef'; AzureActivity | where Category == 'Policy' and Level != 'Informational' | extend p=todynamic(Properties) | extend policies=todynamic(tostring(p.policies)) | mvexpand policy = policies | where policy.policyDefinitionName in (policyDefId) | distinct ResourceId
You can set up alerts using Azure Monitor with a custom log search
Related
Log files for my sample application is getting created in the following folder in azure portal
D:/home/LogFiles/sample_application/sample_application.log
sample_application.log can be both edited and deleted.
Is there a way in azure portal to trigger an email alert when someone tries to modify or delete the log file??
• Yes, you can surely configure an alert using the Azure Monitor regarding the deletion of the log file from the App service through the kudu console or by some other means. For this purpose, you will have to create an alert rule from the Azure Monitor alerts pane with the condition ‘ AppServiceFileAuditLogs | where OperationName == “Delete” and Path == “D:/home/LogFiles/sample_application/sample_application.log” ’ with the action of sending an alert to the email id as registered with this alert rule. Please find the link below on how to create an alert rule through Azure Monitor: -
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-activity-log
Also find the below snapshot below for reference: -
Also, ensure that condition is selected as ‘Custom Log Search’ for as below: -
Please find the link below for detailed instructions on implementing the integration between Azure app service and Azure monitor: -
https://azure.github.io/AppService/2019/11/01/App-Service-Integration-with-Azure-Monitor.html
I want to be able to find specific logs from AKS container, that have diagnostic configured for storage account. I'm able to generate this kind of query from log analytics:
ContainerLog
| join kind = inner KubePodInventory on $left.ContainerID == $right.CointainerID
| where Namespace == "default" and LogEntry contains "error"
| project TimeGenerated, LogEntry, ContainerName
showing me container logs, yet I'm not able to find same output in actual log files, saved in storage account. Shouldn't both reciever services have same logs available? Here's the list of log types that aks cluster generates.
Here's the output from log analytics query:
I have configured the following Kusto query to gather info of Azure deployments in our subscription.
AzureActivity
| where ResourceProviderValue startswith "Microsoft.resources"
| where ActivitySubstatusValue contains "Created"
This query will display various information about new deployments across all resource providers. These are the columns that are included when running the query:
TenantId, SourceSystem, CallerIpAddress, CategoryValue, CorrelationId, Authorization, Authorization_d, Claims, Claims_d, Level, OperationNameValue, Properties, Properties_d, Caller, EventDataId, EventSubmissionTimestamp, HTTPRequest, OperationId, ResourceGroup, ResourceProviderValue, ActivityStatusValue, ActivitySubstatusValue, Hierarchy, TimeGenerated, SubscriptionId, OperationName, ActivityStatus, ActivitySubstatus, Category, ResourceId, ResourceProvider, Resource, Type, _ResourceId
however not the SKU of the deployed resource.
I want to monitor the deployed resources in a subscription, including SKU's. Is it possible to include the SKU of deployed resources of all resource providers in a Log Analytics query from Azure Activity logs?
We have tested this in our local environment , Below analysis are based on our observations.
The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started.
Is it possible to include the SKU of deployed resources of all
resource providers in a Log Analytics query from Azure Activity logs?
No it is not possible,To validate this we have created a NetworkSecurityGroup & DataDisk in our subscription.
when we are trying to fetch those resources logs using AzureActivity table & applying a filter of ResourceProviderValue == "MICROSOFT.RESOURCES" the actual Names for those resources that are passed by the user while creating are not getting populated as shown below.
Instead of using ResourceProviderValue == "MICROSOFT.RESOURCES" if you use the resource specific resource provider of the resource that you are deploying then you will be able to pull the SKU of that resource.
Here Disk comes under Microsoft.Compute resource provider if we apply some additional filters to the above AzureActivity log we can pull the sku of the particular resource.
So, I can see create_or_update logs of my VM on activity logs. There is no filter just to get the create logs as much as I am aware.
So is there any way where I can just see the create logs of a VM using API or commands?
You can follow below steps to achieve your requirement
You need to enable diagnostic settings to activity logs.
refer https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log#send-to-log-analytics-workspace for enabling the diagnostic settings.
Once the Log analytics workspace is established, you can query the logs as
AzureActivity
| where OperationName == 'Create or Update Virtual Machine' and ActivitySubstatusValue == 'Created'
| order by TimeGenerated desc
above output will show only the Create operations. You can further filter it based on your requirement.
I am trying to alert/visualize Resource changes like creation/deletion of Azure resources using Log Analytics/OMS.
I am able to find new deployments using:
AzureActivity
| where ActivityStatus == 'Succeeded' and OperationNameValue contains 'Microsoft.Resources/deployments/write'
and VM start/stop also is traceable.
However, i do not see any logs when a VM is deleted from a resource group. I checked in the resource group Activity logs too, however such an important event doesnt seem to be tracked properly. Only thing I find is the deletion of shutdown schedules as part of VM deletion, however this isnt a reliable indicator.
How can I track resource deletions using Log Analytics?
You can set up an alert when the vm is deleted in log analytics.
Nav to azure portal, your log analytics -> in the left blade, select Alerts -> New alert rule-> in the new page, select your vm as resource -> then in the condition, add an condition: Delete Virtual Machine.