azure - powershell Set-AzVMDiagnosticsExtension doesn't seem working probably across subscriptions

0
votes

what I'm trying to is to enable VM Diagnostic extension to send Event logs (Application [1,2,3], Security [all], System [1,2,3]) to one unified storage account (let's call logs storage) where WADWindowsEventLogsTable is supposed to be created.

different scenarios I'm trying to implement :

  1. VM is in the same resource group where logs storage is.

    The result : works

  2. VM in a different resource group where logs storage is.

    The result : works

  3. VM in a different subscription

    The result : the extension will be enabled. However, when go to Agent tab, I'll get the error message "the value must not be empty" under Storage account section [agent tab, storage account section error][1]


Environment

Windows

Powershell 7.0.2


DiagnosticsConfiguration.json

{
"PublicConfig": {
    "WadCfg": {
        "DiagnosticMonitorConfiguration": {
            "overallQuotaInMB": 5120,
            "WindowsEventLog": {
                "scheduledTransferPeriod": "PT1M",
                    "DataSource": [
                    {
                        "name": "Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]"
                    },
                    {
                        "name": "Security!*"
                    },
                    {
                        "name": "System!*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]"
                    }
                ]
            }
        }
    },
    "StorageAccount": "logsstorage",
    "StorageType": "TableAndBlob"
},
"PrivateConfig": {
    "storageAccountName": "logsstorage",
    "storageAccountKey": "xxxxxxx",
    "storageAccountEndPoint": "https://logsstorage.blob.core.windows.net"
}

}

Powershell commands :

Set-AzVMDiagnosticsExtension -ResourceGroupName "myvmresourcegroup" -VMName "myvm"  -DiagnosticsConfigurationPath "DiagnosticsConfiguration.json"

I even tried to explicitly specifying account name and key as :

$storage_key = "xxxxxx"
Set-AzVMDiagnosticsExtension -ResourceGroupName "myvmresourcegroup" -VMName "myvm"  -DiagnosticsConfigurationPath "DiagnosticsConfiguration.json" -StorageAccountName "logsstroage" -StorageAccountKey $storage_key

I've spent a lot of time trying to figure out the issue without luck.



Update :

The real issue here is that the extension doesn't create the expected table WADWindowsEventLogsTable (or write to it if it's already exist) [1]: https://i.stack.imgur.com/IP9zW.jpg

1
azurepowershellazure-powershellazure-vm

1 Answers

0
votes

I tried the same scenario as you mentioned and I placed the Storage Account in different subscription.

You can use the below command to get the settings of the Diagnostics extension on a virtual machine.

Get-AzVMDiagnosticsExtension -ResourceGroupName "ResourceGroup11" -VMName "ContosoVM22"

So in the below image you can see the highlighted part.The extension is enabled with the same Storage account (from different subscription) I provided in my DiagnosticsConfiguration.json.

enter image description here

However, when you go to Agent tab, and see the error message "the value must not be empty" because in the drop down if you check it shows the list of storage accounts of that subscription only. It cannot get the storage accounts from different subscription. Hence it is not able to select any value from the list and shows the empty value.

Also if you check VM -> Diagnostic settings -> Overview -> Agent section. You will get the same storage account you provided in the settings. (In the overview section you can verify the storage account).

enter image description here