@Bombbe , thank you for this question.
I understand the requirement that you are trying to enable diagnostic settings at subscription level to forward activity logs to the specified LA workspace. The referenced policy in your question will enable Activity logs for ALL categories - as you have already observed. To ensure that the Diagnostic Settings are enabled to forward logs of only specific categories, the following guidelines can be used in your custom policy.
- The deployment template under
resources
block (line 85 - 129 in the Policy as available in portal) should be updated with required values. The only change required here is to update the "enabled" field to "false" of categories which are not required. For other fields, you can leave it to[parameters('logsEnabled')]
so that the enable/disable can be maintained from parameter. - The step above would ensure that the correct diagnostic setting is deployed. For compliance, you would also have to modify the
policyRule.then
block, specifically theexistenceCondition
which is responsible for the compliance. The default policy has existence condition to ensure that all the log categories are enabled. Instead, it will have to be changed to something like below:
"allof": [
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/logs[*]",
"where": {
"allof": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
"in": [
"Administrative",
"Security",
"Alert",
"Recommendation",
"Policy",
]
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
"equals": "True"
}
]
}
},
"Equals": 5
},
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/logs[*]",
"where": {
"allof": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
"in": [
"ServiceHealth",
"Autoscale",
"ResourceHealth"
]
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
"equals": "False"
}
]
}
},
"Equals": 3
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
}
]
You can read more about count.where
here --> Count in Azure Policy Definition.
A sample policy to enable specific category of diagnostic settings is also available in Azure portal as Built-in policy. See the policy named "Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories." for more details.
Hope this helps.
If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.