Policy to stream subscription level logs to an event hub

Bobby McMahon 25 Reputation points
2023-02-23T13:30:08.2133333+00:00

Hi all,

We're using a built-in policy on a top management group to apply a diagnostic setting to all subscriptions to stream activity logs to a specified log analytics workspace.

We have a requirement to stream the logs to an specified event hub also. I cannot find any built-in policies for this. Does anyone else do this from policy? Have you got any example of the policy you can share?

Thanks

Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
646 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
913 questions
{count} votes

Accepted answer
  1. Jesse Loudon 336 Reputation points
    2023-02-26T08:43:50.89+00:00

    I found a community made custom policy which does what you are looking for to configure Subscription activity logs to stream to event hub. https://github.com/Azure/Community-Policy/blob/master/Policies/Monitoring/deploy-diagnostic-setting-for-activity-log-event-hub/azurepolicy.rules.json

    And if you want to quickly search available policies across Microsoft Azure built-ins plus any custom created community policies from the official repos I recommend using AzAdvertizer https://www.azadvertizer.net/

    {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Resources/subscriptions"
                }
            ]
        },
        "then": {
            "effect": "[parameters('effect')]",
            "details": {
                "type": "Microsoft.Insights/diagnosticSettings",
                "ExistenceScope": "Subscription",
                "DeploymentScope": "Subscription",
                "ExistenceCondition": {
                    "allOf": [
                        {
                            "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                            "equals": "[parameters('eventHubRuleId')]"
                        },
                        {
                            "field": "name",
                            "equals": "[parameters('profileName')]"
                        }
                    ]
                },
                "roleDefinitionIds": [
                    "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
                ],
                "deployment": {
                    "location": "eastus",
                    "properties": {
                        "mode": "incremental",
                        "template": {
                            "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                            "contentVersion": "1.0.0.0",
                            "parameters": {
                                "eventHubRuleId": {
                                    "type": "String"
                                },
                                "profileName": {
                                    "type": "String"
                                }
                            },
                            "variables": {},
                            "resources": [
                                {
                                    "type": "Microsoft.Insights/diagnosticSettings",
                                    "apiVersion": "2017-05-01-preview",
                                    "name": "[parameters('profileName')]",
                                    "location": "global",
                                    "properties": {
                                        "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                                        "logs": [
                                            {
                                                "category": "Administrative",
                                                "enabled": true
                                            },
                                            {
                                                "category": "Security",
                                                "enabled": true
                                            },
                                            {
                                                "category": "ServiceHealth",
                                                "enabled": true
                                            },
                                            {
                                                "category": "Alert",
                                                "enabled": true
                                            },
                                            {
                                                "category": "Recommendation",
                                                "enabled": true
                                            },
                                            {
                                                "category": "Policy",
                                                "enabled": true
                                            },
                                            {
                                                "category": "Autoscale",
                                                "enabled": true
                                            },
                                            {
                                                "category": "ResourceHealth",
                                                "enabled": true
                                            }
                                        ]
                                    }
                                }
                            ]
                        },
                        "parameters": {
                            "eventHubRuleId": {
                                "value": "[parameters('eventHubRuleId')]"
                            },
                            "profileName": {
                                "value": "[parameters('profileName')]"
                            }
                        }
                    }
                }
            }
        }
    }
    
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.