Enable diagnostic settings for Storage account using Azure Policy Definition

0
votes

I am trying to set inbuilt policy definition to send logs of storage account to Log analytics workspace using Azure Portal.

Note: I am using personal azure account subscription with Free Trail.

1st Step: Configure diagnostic settings for storage accounts to Log Analytics workspace

2nd Step: Clicked on Assign --> Scope set to Resource Group then Log Analytics resource selected in Parameter tab - > Review +Create

3rd Step: Created Policy Assignment Success, Role Assignments creation succeeded in Azure Portal

4th Step: After waiting for 15 mins, Storage Account --> Diagnostic settings (preview) -- > I don't see Diagnostic Settings are enabled in Storage Account.

I can see Non Compliance Issue in policy. Below is details for same.

What I am missing?

enter image description here

Update:

enter image description here

enter image description here

enter image description here

1
azureazure-storageazure-log-analyticsazure-diagnosticsazure-policy
Hello @PavanKumar GVVS, I followed all the steps that you have mentioned and the policy gets applied effectively for already existing accounts and newly created ones too .. can you please add the full screenshot of the compliance page with the compliance details dialog box (you can blur the sensitive values). Also may i know if you added any tags to the storage account ?AnsumanBal-MT
Hi @AnsumanBal-MT I did not added tags to storage account.PavanKumar GVVS
Added screenshot. Please see "update:"PavanKumar GVVS
can you try creating new storage accounts after the policy is applied and let me know if they are getting complaint or still non-complaint.AnsumanBal-MT
@AnsumanBal-MT You are right. Working perfectly now. Since I had already created storage account before policy. We must create remediation task . Upvoted your answer. :) (y) How did I missed such a blunder mistake.PavanKumar GVVS

1 Answers

1
votes

The issue must be for existing storage accounts only if you are not selecting the create the remediation task as shown below:

enter image description here

If the above is selected then your all the storage accounts present in subscription will become compliant (I have tested it for a resource group and not subscription).

enter image description here

Note: If this is not selected then existing storage account will error out with the same error you are getting, but the new ones which will be created will get compliant .

Steps to follow if the Policy is applied and remediation is not selected :

  1. Click on Create remediation task from the compliance page and it will automatically populate the non-compliant storage accounts .

    enter image description here

  2. Click on remediate. It will submit the process and after the remediate process succeeds , it will take around 15 mins for all non-compliant storage account to become compliant.

    enter image description here