Unable to configure retention time for AzureDiagnostics table on LAW

Question

Unable to configure retention time for AzureDiagnostics table on LAW

Janne Kujanpää 256

I'm creating templating that includes log analytics workspaces. I want to configure all my log analytics workspace before deploying other resources.

All other table configurations works(I know what is the issue with them) but setting table configuration for AzureDiagnostics table failes

template of mine

resource LongTermRetention 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = [for item in tablesConfig: {  
  name: item.name  
  parent: AscDataExportLaw  
  properties: {  
    plan: !contains(item, 'plan') ? 'Analytics' : item.plan  
    retentionInDays: !contains(item, 'retentionInDays') ? -1 : item.retentionInDays  
    totalRetentionInDays: !contains(item, 'totalRetentionInDays') ? totalRetentionInDays : item.totalRetentionInDays  
  }  
}]

inputs:

{  
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",  
    "contentVersion": "1.0.0.0",  
    "parameters": {  
      "tablesConfig": {  
        "value": [  
          {  
            "name": "ADFTriggerRun"  
          },  
          {  
            "name": "AzureActivity"  
          },  
          {  
            "name": "AzureDiagnostics"  
          },  
          {  
            "name": "AzureMetrics"  
          }  
      ],  
      "retentionInDays": {  
        "value": 730 // 2 years  
      },  
      "totalRetentionInDays": {  
        "value": 1826 // 5 years  
      }  
    }  
  }

Microsoft.OperationalInsights/workspaces/tables resource is created/updated for ADFTriggerRun, AzureActivity and AzureMetrics. Deployment for AzureDiagnostics fails with following error message:

{  
    "status": "Failed",  
    "error": {  
        "code": "ResourceNotFound",  
        "message": "The specified table: 'AzureDiagnostics' does not exist. Operation Id: '90043ab906b740e739e3af54f9b4f19d'"  
    }  
}

Looks like AzureDiagnostics does not behave like other tables. For a good CI/CD/IaaC best practices configuration for AzureDiagnostics table should be deployable even then table has no data.

-------
Same behaviour is visible when configuring a new empty LAW tables:

AzureDiagnostics table cannot be configured because it does not exist....

---------
Full sample:

create rg: az group create --name law-config-rg --subscription $DevSubscriptionId
deploy template: az deployment group create -g law-config-rg --subscription $DevSubscriptionId -f logs.bicep
result:

law-config-logs-dev-law/ServiceMapComputer_CL, law-config-logs-dev-law/NetworkMonitoring and law-config-logs-dev-law/ServiceMapProcess_CL failures can be ignored in this discussion. The problem is AzureDiagnostics:

{  
    "status": "Failed",  
    "error": {  
        "code": "ResourceNotFound",  
        "message": "The specified table: 'AzureDiagnostics' does not exist. Operation Id: '229d68376b117a19f9214c2dfcab92c0'"  
    }  
}

logs.bicep:

targetScope = 'resourceGroup'  
  
@description('Location for the resources.')  
param location string = resourceGroup().location  
param environmentName string = 'dev'  
param project string = 'law-config'  
param tags object = {}  
  
param azureDefenderEnabled bool = true  
  
param tablesConfig array = [  
  {  
    name: 'ADFActivityRun'  
  }  
  {  
    name: 'ADFPipelineRun'  
  }  
  {  
    name: 'ADFSandboxActivityRun'  
  }  
  {  
    name: 'ADFSandboxPipelineRun'  
  }  
  {  
    name: 'ADFTriggerRun'  
  }  
  {  
    name: 'AzureActivity'  
  }  
  {  
    name: 'AzureDiagnostics'  
  }  
  {  
    name: 'AzureMetrics'  
  }  
  {  
    name: 'DatabricksAccounts'  
  }  
  {  
    name: 'DatabricksClusters'  
  }  
  {  
    name: 'DatabricksDBFS'  
  }  
  {  
    name: 'DatabricksIAMRole'  
  }  
  {  
    name: 'DatabricksInstancePools'  
  }  
  {  
    name: 'DatabricksJobs'  
  }  
  {  
    name: 'DatabricksNotebook'  
  }  
  {  
    name: 'DatabricksSSH'  
  }  
  {  
    name: 'DatabricksSecrets'  
  }  
  {  
    name: 'DatabricksWorkspace'  
  }  
  {  
    name: 'Heartbeat'  
  }  
  {  
    name: 'InsightsMetrics'  
  }  
  {  
    name: 'NetworkMonitoring'  
  }  
  {  
    name: 'Operation'  
  }  
  {  
    name: 'PowerBIDatasetsWorkspace'  
  }  
  {  
    name: 'ProtectionStatus'  
  }  
  {  
    name: 'SecureScoreControls'  
  }  
  {  
    name: 'SecureScores'  
  }  
  {  
    name: 'SecurityAlert'  
  }  
  {  
    name: 'SecurityBaseline'  
  }  
  {  
    name: 'SecurityBaselineSummary'  
  }  
  {  
    name: 'SecurityDetection'  
  }  
  {  
    name: 'SecurityEvent'  
  }  
  {  
    name: 'SecurityNestedRecommendation'  
  }  
  {  
    name: 'SecurityRecommendation'  
  }  
  {  
    name: 'SecurityRegulatoryCompliance'  
  }  
  {  
    name: 'ServiceMapComputer_CL'  
  }  
  {  
    name: 'ServiceMapProcess_CL'  
  }  
  {  
    name: 'StorageBlobLogs'  
  }  
  {  
    name: 'StorageFileLogs'  
  }  
  {  
    name: 'StorageQueueLogs'  
  }  
  {  
    name: 'StorageTableLogs'  
  }  
  {  
    name: 'Update'  
  }  
  {  
    name: 'UpdateSummary'  
  }  
  {  
    name: 'Usage'  
  }  
  {  
    name: 'VMBoundPort'  
  }  
  {  
    name: 'VMComputer'  
  }  
  {  
    name: 'VMConnection'  
  }  
  {  
    name: 'VMProcess'  
  }  
  {  
    name: 'WindowsFirewall'  
  }  
]  
param retentionInDays int = 90  
param totalRetentionInDays int = 1095  
  
var LawName = '${project}-logs-${environmentName}-law'  
  
// setup LAW  
resource Law 'microsoft.operationalinsights/workspaces@2021-06-01' = {  
  name: LawName  
  location: location  
  tags: tags  
  properties: {  
    sku: {  
      name: 'PerGB2018'  
    }  
    retentionInDays: retentionInDays  
    features: {  
      enableLogAccessUsingOnlyResourcePermissions: true  
    }  
    workspaceCapping: {  
      dailyQuotaGb: -1  
    }  
    publicNetworkAccessForIngestion: 'Enabled'  
    publicNetworkAccessForQuery: 'Enabled'  
  }  
}  
  
// register solutions  
var solutions = concat([  
  'SecurityCenterFree'   
  'SQLVulnerabilityAssessment'  
], azureDefenderEnabled ? [  
  'Security'  
] : [] )  
resource AscDataExportLawSolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solutionName in solutions: {  
  name: '${solutionName}(${Law.name})'  
  location: location  
  tags: tags  
  plan: {  
    name: '${solutionName}(${Law.name})'  
    promotionCode: ''  
    product: 'OMSGallery/${solutionName}'  
    publisher: 'Microsoft'  
  }  
  properties: {  
    workspaceResourceId: Law.id  
    containedResources: []  
  }  
}]  
  
resource LongTermRetention 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = [for item in tablesConfig: {  
  name: item.name  
  parent: Law  
  properties: {  
    plan: !contains(item, 'plan') ? 'Analytics' : item.plan  
    retentionInDays: !contains(item, 'retentionInDays') ? -1 : item.retentionInDays  
    totalRetentionInDays: !contains(item, 'totalRetentionInDays') ? totalRetentionInDays : item.totalRetentionInDays  
  }  
}]

The result I want to see:
I want all configure archive retention times for all non-custom tables with IaaC automatically.

--------

Update: did minor update for logs.bicep:

Added deployment for solutions 'LogManagement' and 'NetworkMonitoring'. The error message for NetworkMonitoring was instantly fixed but AzureDiagnostics table config still does not work. Fixing that should not require hacks like log generation + waiting table to be created

Andrew Blumhardt 10,056 Reputation points Microsoft Employee

2022-12-13T13:51:52.413+00:00

Could it be that that table does not exist yet? Can you query this table? You need to send diag data to the workspace for the table to be created it seems. I see the table in my workspaces. Also, newly added tables can take 5-10 min to show up.
Janne Kujanpää 256 Reputation points

2022-12-13T14:10:50.24+00:00

None of the tables listed in inputs code block exists. AzureDiagnostics table config is the only one that is failing.

A screenshot of LAW failing

My real tablesConfig array contains at moment 48 items.
* Three of the failures are acceptable
* Two are table names are prefixed with _CL`` * One isNetworkMonitoring` and error message clearly states that Solution is needed for for the table
* 44 table configs works fine even tables are not created
* AzureDiagnostics table config is failing

For me it looks like AzureDiagnostics table does not behave like other tables.

You need to send diag data to the workspace for the table to be created it seems. I see the table in my workspaces. Also, newly added tables can take 5-10 min to show up.

Seriously? Is that documented? I would have recommended other log storage if I would have known that.

ARM resource provider behaviour like this make IaaC development really difficult with Azure.
Janne Kujanpää 256 Reputation points

2022-12-13T14:37:58.223+00:00

Updated first post with full template and reproduction steps.
Andrew Blumhardt 10,056 Reputation points Microsoft Employee

2022-12-13T23:51:02.87+00:00

Not sure if I can add anything more here. My comment on the delay is more from experience. After adding a new table there is a delay before that table is accessible for queries.

Have you considered skipping the diagnostics table? This will get created once a diagnostic is targeted at the workspace. It may not be beneficial to create this in advance. Maybe it cannot be created through the template for a reason.
tbgangav-MSFT 10,426 Reputation points Moderator

2022-12-15T09:24:32.807+00:00

Hi @Janne Kujanpää ,

As @Andrew Blumhardt mentioned, I also believe that the empty AzureDiagnostics table cannot be created through the template for a reason and at this point I believe the reason would be around the AzureDiagnostics table's column creation task as mentioned here. I have reached out to internal product team to understand the exact reason and see if we have any workaround for this. Will keep you updated as I hear more information.

1 answer

Your answer

Andrew Blumhardt 10,056 Reputation points Microsoft Employee

2022-12-13T13:51:52.413+00:00

Could it be that that table does not exist yet? Can you query this table? You need to send diag data to the workspace for the table to be created it seems. I see the table in my workspaces. Also, newly added tables can take 5-10 min to show up.
Janne Kujanpää 256 Reputation points

2022-12-13T14:10:50.24+00:00

None of the tables listed in inputs code block exists. AzureDiagnostics table config is the only one that is failing.

A screenshot of LAW failing

My real tablesConfig array contains at moment 48 items.
* Three of the failures are acceptable
* Two are table names are prefixed with _CL`` * One isNetworkMonitoring` and error message clearly states that Solution is needed for for the table
* 44 table configs works fine even tables are not created
* AzureDiagnostics table config is failing

For me it looks like AzureDiagnostics table does not behave like other tables.

You need to send diag data to the workspace for the table to be created it seems. I see the table in my workspaces. Also, newly added tables can take 5-10 min to show up.

Seriously? Is that documented? I would have recommended other log storage if I would have known that.

ARM resource provider behaviour like this make IaaC development really difficult with Azure.
Janne Kujanpää 256 Reputation points

2022-12-13T14:37:58.223+00:00

Updated first post with full template and reproduction steps.
Andrew Blumhardt 10,056 Reputation points Microsoft Employee

2022-12-13T23:51:02.87+00:00

Not sure if I can add anything more here. My comment on the delay is more from experience. After adding a new table there is a delay before that table is accessible for queries.

Have you considered skipping the diagnostics table? This will get created once a diagnostic is targeted at the workspace. It may not be beneficial to create this in advance. Maybe it cannot be created through the template for a reason.
tbgangav-MSFT 10,426 Reputation points Moderator

2022-12-15T09:24:32.807+00:00

Hi @Janne Kujanpää ,

As @Andrew Blumhardt mentioned, I also believe that the empty AzureDiagnostics table cannot be created through the template for a reason and at this point I believe the reason would be around the AzureDiagnostics table's column creation task as mentioned here. I have reached out to internal product team to understand the exact reason and see if we have any workaround for this. Will keep you updated as I hear more information.

Answer 1

Current workarounds:

Luck and yearly plan
* check "yearly" than nothing has been starting to use that table and re-deploy

Brute-force template
* run template multiple times

Add AzureDiagnostics table-based alerts for LAWs with this failure
* After the alert re-deploy template and disable alert

Create table with dummy template
* Requires adding more useless resources
* Requires deploying template multiple times
* Delays with table creation after log generation

None of those is not suitable for real production usage :/

Share via

Unable to configure retention time for AzureDiagnostics table on LAW

1 answer

Your answer