Set-AzVMDiagnosticsExtension doesn't work work as expected across subscriptions

0
votes

what I'm trying to is to enable VM Diagnostic extension to send Event logs (Application [1,2,3], Security [all], System [1,2,3]) to one unified storage account (let's call logs storage) where WADWindowsEventLogsTable is supposed to be created.

different scenarios I'm trying to implement :

  1. VM is in the same resource group where logs storage is.

    The result : works

  2. VM in a different resource group where logs storage is.

    The result : works

  3. VM in a different subscription

    The result : the extension will be enabled. However, when go to Agent tab, I'll get the error message "the value must not be empty" under Storage account section agent tab, storage account section error


Environment

Windows

Powershell 7.0.2


DiagnosticsConfiguration.json

{
"PublicConfig": {
    "WadCfg": {
        "DiagnosticMonitorConfiguration": {
            "overallQuotaInMB": 5120,
            "WindowsEventLog": {
                "scheduledTransferPeriod": "PT1M",
                    "DataSource": [
                    {
                        "name": "Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]"
                    },
                    {
                        "name": "Security!*"
                    },
                    {
                        "name": "System!*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]"
                    }
                ]
            }
        }
    },
    "StorageAccount": "logsstorage",
    "StorageType": "TableAndBlob"
},
"PrivateConfig": {
    "storageAccountName": "logsstorage",
    "storageAccountKey": "xxxxxxx",
    "storageAccountEndPoint": "https://logsstorage.blob.core.windows.net"
}
}

Powershell commands :

Set-AzVMDiagnosticsExtension -ResourceGroupName "myvmresourcegroup" -VMName "myvm"  -DiagnosticsConfigurationPath "DiagnosticsConfiguration.json"

I even tried to explicitly specifying account name and key as :

$storage_key = "xxxxxx"
Set-AzVMDiagnosticsExtension -ResourceGroupName "myvmresourcegroup" -VMName "myvm"  -DiagnosticsConfigurationPath "DiagnosticsConfiguration.json" -StorageAccountName "logsstroage" -StorageAccountKey $storage_key

I've spent a lot of time trying to figure out the issue without luck.



The real issue here is that the extension doesn't create the expected table WADWindowsEventLogsTable (or write to it if it's already exist)

According to the official documentation I should be able to do this, example 3 : https://docs.microsoft.com/en-us/powershell/module/az.compute/set-azvmdiagnosticsextension?view=azps-4.3.0

I've submitted an issue with the team on GitHub and gave more details, but still waiting for their input

https://github.com/Azure/azure-powershell/issues/12259

2
azurepowershellazure-powershell
I was able to figure it the issue with help from Microsoft engineer. I've updated GitHub issue with more details. - Matar

2 Answers

0
votes

This is because the storage account "logsstorage" you specify is in another subscription.

You should have selected a different subscription to enable VM Diagnostic extension. So you also need to modify your DiagnosticsConfiguration.json file and specify a storage account which is in the current subscription.

0
votes

I managed to get this fixed with some help from Microsoft engineer.

I've detailed the answer in this GitHub issue :

Set-AzVMDiagnosticsExtension doesn't seem working properly across subscriptions


I managed to get this work, thanks for the help from @prernavashistha from Microsoft support it turned out there's some inconsistency in the documentations.

According to the documentation here :

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-windows-install#powershell-deployment

In PrivateConfig I should pass the storage URI to "storageAccountEndPoint" key :

"PrivateConfig": {
"storageAccountEndPoint": "https://logsstorage.blob.core.windows.net"}

However, according to another documentation reference :

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-schema-windows#json

I should pass the Azure storage endpoint :

"PrivateConfig": {
"storageAccountEndPoint": "https://core.windows.net"}


I can confirm that using Azure storage endpoint resolved the issue, and I can enable the extension across subscriptions, and I can see logs being written to the correct table as expected.

Thanks