Is there a way to configure Azure Activity logs to be forwarded to a Log Analytics instance using Azure CLI?
Hopefully equivalent to the PowerShell command:
New-AzureRmOperationalInsightsAzureActivityLogDataSource -ResourceGroupName <LogAnalyticsOMSWorkspaceResourceGroupName> -WorkspaceName <LogAnalyticsOMSWorkspaceName> -Name <NameOfThisOperationalInsightsAzureActivityLogDataSource> -SubscriptionId <SubscriptionId>
Significant changes have been made to Azure Monitor recently, with different services being consolidated in order to simplify monitoring for Azure customers.
Dedicated Azure CLI commands under the set az monitor activity-log alert are available for managing activity log alert rules.
To create a new activity log alert rule, use in this order:
az monitor activity-log alert create: Create new activity log alert rule resource
az monitor activity-log alert scope: Add scope for the created activity log alert rule
az monitor activity-log alert action-group: Add action group to the activity log alert rule
To retrieve one activity log alert rule resource, the Azure CLI command az monitor activity-log alert show can be used. And for viewing all activity log alert rule resource in a resource group, use az monitor activity-log alert list. Activity log alert rule resources can be removed using Azure CLI command az monitor activity-log alert delete.
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log#cli
Related
I'm trying to fetch the event initiated by i.e. email id of the user who created the vm using az cli.
I tried running
az monitor activity-log list -g "resgroupname" --resource-id "my-res-id"
but it lists me all the vm details.
I'm trying to list the event of one vm by passing the resource id.
https://learn.microsoft.com/en-us/cli/azure/monitor/activity-log?view=azure-cli-latest
You need to make use of query filter to the above cmdlet in order to the pull the user name (Caller) who initiated the create vm operation from the activity logs.
az monitor activity-log list -g <resourceGroupName> --resource-id <VMResourceId> --query "[?contains(operationName.value,'Microsoft.Compute/virtualMachines/write')].{name:operationName.value,caller:caller,createdtime:submissionTimestamp}" -o table
I have tested the above cmdlet in my local environment(cloud shell), by creating a log analytics workspace and projecting the activity logs of the resource group to that log analytics workspace.
Here is the sample output for reference:
We have our on-premise Azure DevOps Server that is growing quite fast. The database files (SQL Server 14) were about 130 GB. In less than a month are now 160 GB.
There's an agent monitor (maybe an Azure DevOps extension?) to log mostly Azure DevOps operations that may cause this? Not only push etc. standard GIT operation but something more specific? We have several repositories, pipelines, artifacts, etc.
Edit: auditing on Azure DevOps Services isn't available for on-premises deployments. And more there are several 3rd part providers offering this service but again seems like they work only in the cloud.
What eventually I'm looking for is a way to know the memory occupancy of a single Team Project or its pipeline/release etc. Then it will be easy to check day after day who is growing so rapidly.
You can check the Azure DevOps server growth using continuous monitoring by application insights
You can set the alert rules using the below sample CLI script
To modify alert rule settings:
In the left pane of the release pipeline page, select Configure Application Insights Alerts.
$subscription = az account show --query "id";$subscription.Trim("`"");$resource="/subscriptions/$subscription/resourcegroups/"+"$(Parameters.AppInsightsResourceGroupName)"+"/providers/microsoft.insights/components/" + "$(Parameters.ApplicationInsightsResourceName)";
az monitor metrics alert create -n 'Availability_$(Release.DefinitionName)' -g $(Parameters.AppInsightsResourceGroupName) --scopes $resource --condition 'avg availabilityResults/availabilityPercentage < 99' --description "created from Azure DevOps";
az monitor metrics alert create -n 'FailedRequests_$(Release.DefinitionName)' -g $(Parameters.AppInsightsResourceGroupName) --scopes $resource --condition 'count requests/failed > 5' --description "created from Azure DevOps";
az monitor metrics alert create -n 'ServerResponseTime_$(Release.DefinitionName)' -g $(Parameters.AppInsightsResourceGroupName) --scopes $resource --condition 'avg requests/duration > 5' --description "created from Azure DevOps";
az monitor metrics alert create -n 'ServerExceptions_$(Release.DefinitionName)' -g $(Parameters.AppInsightsResourceGroupName) --scopes $resource --condition 'count exceptions/server > 5' --description "created from Azure DevOps";
You can modify the script and add additional rules, and you can even modify alert conditions. or you can even remove alert rules which you don't require
I want to monitor metrics of all virtual machines inside my subscription with Azure CLI. According to Microsoft's "az monitor metrics alert" documentation, each alert created for a specific resource id, for example:
az monitor metrics alert create -n alert1 -g {ResourceGroup} --scopes {VirtualMachineID} --condition "avg Percentage CPU > 90" --description "High CPU"
Can I create an alert for monitoring high CPU for all VMs (instead of creating many alerts associated with a specific VM)?
Moreover, how can I configure my email as an alert action?
Thank you.
From the syntax, it seems like if we just pass a comma-separated list of Resource IDs to --scope parameter we should be able to create a metrics alert for multiple resources. But it doesn't seem to work as expected.
As an alternative, you can configure an ARM Template to create Azure Monitor Metrics alert that can target/monitor multiple resources in one or more Resource Groups, or in a Subscription.
You can refer this documentation on how to build ARM Templates for a Metric alert that monitors multiple resources.
In this template, you'll need to provide the Action Group ID for the Action Group which specifies the actions to be taken when the alert triggers. To obtain the Action Group ID, use Set-AzActionGroupto create an Action Group wherein you can specify the action to receive email in the -Receiver parameter.
Once you've configured your template & template parameters JSON file, you can use the following Az CLI cmdlet block to deploy it in Azure:
Connect-AzAccount
Select-AzSubscription -SubscriptionName <yourSubscriptionName>
New-AzResourceGroupDeployment -Name myDeployment -ResourceGroupName <ResourceGroupWhereRuleShouldbeSaved> -TemplateFile template.json -TemplateParameterFile templateparams.parameters.json
Hope this helps!
I have some alerts set up based on activity log - when certain resources are create/updated. I would like to disabled them for the deployment time (Azure DevOps, including ARM template) - to not be spammed with unnecessary emails.
So before each deployment (and after deploying ARM template) I would run code like this:
az monitor activity-log alert list --resource-group ${RESOURCE_GROUP_NAME} --query "[].[name, enabled]" -o tsv | while read ALERT_NAME ALERT_STATUS
do
if [[ ${ALERT_STATUS} == "True" ]]
then
az monitor activity-log alert update --resource-group ${RESOURCE_GROUP_NAME} --name ${ALERT_NAME} --enabled false
fi
done
And switch them on as a last step of deployment.
However this doesn't seem to suppress the alerts. My guess is that it need some time to refresh status somewhere.
Any clue what it might be and how to fix/workaround it?
You can use action rules to suppress alerts during deployments. See these docs on that:
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/alerts-action-rules
I am trying to list all the Alert rules that I have created in Azure Monitor using the Azure CLI so that I can enable/disable them as per need. Is there a way to achieve this programmatically using the Azure CLI?
Try the command below, more details refer to this link.
az monitor alert list --resource-group
Or you can use az monitor metrics alert list to list metric-based alert rules.