How to create Activity logs diagnostic setting for Azure resources using ARM template

1
votes

We are referring this documentation here which talks about Creating diagnostic setting in Azure using a Resource Manager template.

We have managed to provision resources with ARM template along with diagnostic setting for resource logs, however snippet in the documentation to enable the activity logs diagnostic setting does not seem to work as the template deployment command (new-azresourcegroupdeployment) returns the Bad request error.

New-AzResourceGroupDeployment : Resource Microsoft.Insights/diagnosticSettings 'test-vnet' failed with message '{ "Code": "BadRequest", "Message": "" }'

Here is the template (trimmed some code to avoid noise)

{  
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
   ...
},
"variables": {
    ...
},
"resources": [
    {
        "apiVersion": "2018-08-01",
        "type": "Microsoft.Network/virtualNetworks",
        "name": "[parameters('virtualNetworkName')]",
        "location": "[parameters('resourceLocation')]",
        "properties": {
            "addressSpace": {
                "addressPrefixes": [
                    "[parameters('addressPrefix')]"
                ]
            },
            "subnets": "[parameters('subnets')]",
            "dhcpOptions": {
                "dnsServers": "[parameters('dnsServers')]"
            }
        },
        "resources":
        [
            {
                "type": "Microsoft.Insights/diagnosticSettings",
                "apiVersion": "2017-05-01-preview",
                "name": "[variables('diagnosticsSettingsName')]",
                "dependsOn": [
                    "[parameters('virtualNetworkName')]"
                ],
                "location": "global",
                "properties": 
                 {
                    "storageAccountId": "..valid_id_here",
                    "logs": 
                    [
                        {
                            "category": "Administrative",
                            "enabled": true
                        },
                        {
                            "category": "Security",
                            "enabled": true
                        },
                        {
                            "category": "ServiceHealth",
                            "enabled": true
                        },
                        {
                            "category": "ResourceHealth",
                            "enabled": true
                        }
                    ]
                }
            }
        ]
    }
],
"outputs": {
    ..
}
2
azureazure-resource-managerarm-templateazure-virtual-networkazure-diagnostics
Scope for deployment is Subscription, need to fix templates and commands accordingly.johnymachine

2 Answers

4
votes

The documentation here which you are referring for Creating diagnostic settings.

So If you will check the Deployment Methods in this document, it says that you can deploy Resource Manager templates using any valid method including PowerShell and CLI. Diagnostic settings for Activity log must deploy to a subscription using az deployment create for CLI or New-AzDeployment for PowerShell.

Use New-AzDeployment instead of New-AzResourceGroupDeployment to deploy the ARM Template.

Hope this helps!!

0
votes

This policy works for me, note that it is Subscription level deployment:

{
  "properties": {
    "displayName": "Deploy diagnostic setting profile for Subscription Activity Logs to Log Analytics workspace",
    "description": "Deploys the diagnostic settings for Subscription Activity Logs to stream to a regional Log Analytics workspace when any Subscription which is missing this diagnostic settings is created or updated.",
    "mode": "All",
    "metadata": {
      "version": "1.0.0",
      "category": "audit"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "settingsProfileName": {
        "type": "String",
        "metadata": {
          "displayName": "Settings profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalyticsResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics resourceId",
          "description": "Set to full Log Analytics workspace resorceId. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('settingsProfileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalyticsResourceId')]"
              }
            ]
          },
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "settingsProfileName": {
                    "type": "string"
                  },
                  "logAnalyticsResourceId": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Insights/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[parameters('settingsProfileName')]",
                    "properties": {
                      "workspaceId": "[parameters('logAnalyticsResourceId')]",
                      "logs": [
                        {
                          "category": "Administrative",
                          "enabled": "true"
                        },
                        {
                          "category": "Alert",
                          "enabled": "true"
                        },
                        {
                          "category": "Autoscale",
                          "enabled": "true"
                        },
                        {
                          "category": "Policy",
                          "enabled": "true"
                        },
                        {
                          "category": "Recommendation",
                          "enabled": "true"
                        },
                        {
                          "category": "ResourceHealth",
                          "enabled": "true"
                        },
                        {
                          "category": "Security",
                          "enabled": "true"
                        },
                        {
                          "category": "ServiceHealth",
                          "enabled": "true"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "settingsProfileName": {
                  "value": "[parameters('settingsProfileName')]"
                },
                "logAnalyticsResourceId": {
                  "value": "[parameters('logAnalyticsResourceId')]"
                }
              }
            }
          }
        }
      }
    }
  }
}