Enabling diagnostic settings for Azure Storage Account using PowerShell

0
votes

I am trying to write a PowerShell script to enable Diagnostic settings for Azure Storage Accounts and send the logs to log analytics. For each storage account you can enable diagnostic for the storage account itself, blob, queue, table and file. I need to enable it for all 5 and configure to log read, write and delete, then send these logs to a Log Analytic workspace.

Here is a quick screenshot of the settings I want to enable.

enter image description here

I found couple examples on how to enable diagnostic using set-azdiagnosticsetting but they don't seem to work.

Set-AzDiagnosticSetting -ResourceId "Resource01" -Enabled $True

Set-AzDiagnosticSetting: Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status code:Forbidden, Reason phrase: Forbidden

Next tried a different set of script, Create the metric, settings then apply. This example was also obtained from the reference link below.

$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $ResourceId -WorkspaceId $WorkspaceId -Setting $metrics
Set-AzDiagnosticSetting -InputObject $setting

The only reference I found was: https://docs.microsoft.com/en-us/powershell/module/az.monitor/set-azdiagnosticsetting?view=azps-6.0.0

https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=PowerShell

Any one have better references or experience doing this??

1
azurepowershell
Quick Updates #1: I still havent been able to do this via Powershell but was able to enable diagnostic setting for a storage account using Terraform. following this this link. man.hubwiz.com/docset/Terraform.docset/Contents/Resources/… Still trying to figure out how to enable monitoring for the Blob, File and Tables... - Maki

1 Answers

0
votes

The storage account and each storage(blob, file, queue, table) have different resource ids, so you need to use a loop to set the DiagnosticSettings for them, just use the script below, replace the values of yours, it works fine on my side.

$ResourceId = "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joystoragev2"
$WorkspaceId = "/subscriptions/xxx/resourcegroups/xxx/providers/microsoft.operationalinsights/workspaces/joyana"
$DiagnosticSettingName = "testdia123"

$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $ResourceId -WorkspaceId $WorkspaceId -Setting $metric
Set-AzDiagnosticSetting -InputObject $setting

$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
$readlog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageRead -Enabled
$writelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageWrite -Enabled
$deletelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageDelete -Enabled
$Ids = @($ResourceId + "/blobServices/default"
        $ResourceId + "/fileServices/default"
        $ResourceId + "/queueServices/default"
        $ResourceId + "/tableServices/default"
)
$Ids | ForEach-Object {
    $setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ -WorkspaceId $WorkspaceId -Setting $metric,$readlog,$writelog,$deletelog
    Set-AzDiagnosticSetting -InputObject $setting
}

enter image description here