Azure Functions rest API to sent Custom Logs (EventGridEvent Trigger) PowerShell

Christophe Humbert 101 Reputation points
2023-06-01T12:19:00.1266667+00:00

Hello

I have created a Data Collection Endpoint and a Data Collection Rule with An Azure Policy Event

My goal is to send the data to a custom log table in a log analytics workspace

Everything is created

I am using an user assigned managed identity ([Monitoring Metrics Publisher](https://portal.azure.com/#"Monitoring Metrics Publisher")) role on the subscription where the DCE and DCR and LAW and function are

I have no error

but data are not populated in Custom Log Table

Thanks for the help in advance

param($EventGridEvent, $TriggerMetaData)
############### BEGIN USER SPECIFIED VARIABLES ###############
############### Please fill in values for all Variables in this section. ###############
$ClientId = 'XXXXX'
# Specify the name of the LAW Table that you will be sending data to
$Table = "zzzz"

# Specify the Immutable ID of the DCR
$DcrImmutableId = "yyyyy"

# Specify the URI of the DCE
$DceURI = "zzzzzz"
# Login to Azure as the Azure FUnction Managed Identity and Grab the Secret from the Keyvault
Connect-AzAccount -Identity -AccountId $ClientId

## Obtain a bearer token used to authenticate against the data collection endpoint
#Method 1 with Resource URI and MSI Azure Function Endpoint
$resourceURI = "https://monitor.azure.com/"
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&client_id=$ClientId&api-version=2019-08-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI
$bearerToken = $tokenResponse.access_token
#Method 2 with Get-AzAccessToken
#$bearerToken2 = Get-AzAccessToken -ResourceUrl "https://monitor.azure.com/"

############### END USER SPECIFIED VARIABLES ###############
# JSON Value
#$json = @"
#[{  "id": "$($EventGridEvent.id)",
#    "topic": "$($EventGridEvent.topic)",
#    "subject": "$($EventGridEvent.subject)",
#    "eventTime": "$($EventGridEvent.eventTime)",
#    "eventType": "$($EventGridEvent.eventType)",
#    "compliancestate": "$($EventGridEvent.data.complianceState)",
#    "compliancereasoncode": "$($EventGridEvent.data.complianceReasonCode)",
#    "policydefinitionid": "$($EventGridEvent.data.policyDefinitionId)",
#    "policyassignmentid": "$($EventGridEvent.data.policyAssignmentId)",
#    "subscriptionid": "$($EventGridEvent.data.subscriptionId)",
#    "timestamp": "$($EventGridEvent.data.timestamp)"
#}]
#"@
$json = @"
[{  "topic": "$($EventGridEvent.topic)",
    "id": "$($EventGridEvent.id)",
    "eventType": "$($EventGridEvent.eventType)",
    "subject": "$($EventGridEvent.subject)",
    "data": "$($EventGridEvent.data)",
    "dataVersion": "$($EventGridEvent.dataVersion)",
    "metadataVersion": "$($EventGridEvent.metadataVersion)",
    "eventTime": "$($EventGridEvent.eventTime)"
}]
"@



# Sending the data to Log Analytics via the DCR!
#$body = $json
#$body = $EventGridEvent
$EventGridEvent | Out-String | W
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2023-01-01";
try 
{ 
     $Result = Invoke-RestMethod -Uri $uri -Method "POST" -Body $EventGridEvent -Headers $headers
     $Result.all | Out-String | Write-Host
} 
catch 
{ 
   Write-Host "StatusCode:" $_.Exception.Response.StatusCode.value__ 
     Write-Host "StatusDescription:" $_.Exception.Response.StatusDescription
     Write-Host "Message:" $_.ErrorDetails.Message
  
}
#$uploadResponse = 
#$uploadResponse | Out-String | Write-Host

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,023 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,653 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,319 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Christophe Humbert 101 Reputation points
    2023-06-07T08:07:25.67+00:00

    Solved on my side

    I have recreated the DCR

    and to tackle a small issue in passing data I changed a bit the code

    $EventBody = $EventGridEvent | ConvertTo-Json -AsArray
    # Sending the data to Log Analytics via the DCR!
    $headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json"}
    #$headers  | Out-String | Write-Host
    $uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"_CL?api-version=2021-11-01-preview"
    #$uri | Out-String | Write-Host
    try 
    { 
        Invoke-RestMethod -Uri $uri -Method "POST" -Body $EventBody -Headers $headers | Out-String | Write-Host
    }
    catch 
    { 
        Write-Host "StatusCode:" $_.Exception.Response.StatusCode.value__ 
        Write-Host "StatusDescription:" $_.Exception.Response.StatusDescription
        Write-Host "Message:" $_.ErrorDetails.Message
      
    }
    
    0 comments No comments