Custom policy to deploy diagnostic settings to subscription activity logs

Bombbe 1,611 Reputation points
2023-04-24T06:43:43.7166667+00:00

Hello, Ms has build usefully policy to deploy diagnostic setting to forward subscription activity logs to Log Analytys: Configure Azure Activity logs to stream to specified Log Analytics workspace Policy currently activates all categories but we would like to drop few of them away: ResourceHealth, Autoscale, ServiceHealth. I made custom policy about this policy and just thinked that if I remove those categories from properties it would work but not. All our subscriptions were non-compliant

User's image

I tried then also to put 'logsEnabled' parameter as following: "true,true,true,true,true,false,false,false", but it did not neither work

User's image

I tried few additional things in the policy but ended pretty much always in the same situation.
What do I really need to change in this policy so that I would get it to work and only collect these five categories: Administrative, Security,Alert,Recommendation,Policy

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
808 questions
0 comments No comments
{count} votes

Accepted answer
  1. AnuragSingh-MSFT 20,831 Reputation points
    2023-04-26T07:48:39.81+00:00

    @Bombbe , thank you for this question.

    I understand the requirement that you are trying to enable diagnostic settings at subscription level to forward activity logs to the specified LA workspace. The referenced policy in your question will enable Activity logs for ALL categories - as you have already observed. To ensure that the Diagnostic Settings are enabled to forward logs of only specific categories, the following guidelines can be used in your custom policy.

    1. The deployment template under resources block (line 85 - 129 in the Policy as available in portal) should be updated with required values. The only change required here is to update the "enabled" field to "false" of categories which are not required. For other fields, you can leave it to [parameters('logsEnabled')] so that the enable/disable can be maintained from parameter.
    2. The step above would ensure that the correct diagnostic setting is deployed. For compliance, you would also have to modify the policyRule.then block, specifically the existenceCondition which is responsible for the compliance. The default policy has existence condition to ensure that all the log categories are enabled. Instead, it will have to be changed to something like below:
       "allof": [
                     {
                       "count": {
                         "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                         "where": {
                           "allof": [
                             {
                               "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
                               "in": [
                                 "Administrative",
                                 "Security",
                                 "Alert",
                                 "Recommendation",
                                 "Policy",
                               ]
                             },
                             {
                               "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
                               "equals": "True"
                             }
                           ]
                         }
                       },
                       "Equals": 5
                     },
       			  {
                       "count": {
                         "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                         "where": {
                           "allof": [
                             {
                               "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
                               "in": [
                                 "ServiceHealth",
                                 "Autoscale",
                                 "ResourceHealth"
                               ]
                             },
                             {
                               "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
                               "equals": "False"
                             }
                           ]
                         }
                       },
                       "Equals": 3
                     },
       			  {
                       "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                       "equals": "[parameters('logAnalytics')]"
                     }
                   ]
    

    You can read more about count.where here --> Count in Azure Policy Definition. A sample policy to enable specific category of diagnostic settings is also available in Azure portal as Built-in policy. See the policy named "Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories." for more details.

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.


1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,596 Reputation points Microsoft Employee
    2023-04-24T11:15:16.6266667+00:00

    Eventually data collection rules will be an option for diagnostics. I have never tried to filter this feed using a policy. Maybe reconsider the need. This is a fairly small feed and Activity Logs are free to ingest into log analytics. I can't really see the benefit of limiting the feed. You can always filter in your queries and dashboards.