Why aren't diagnostic logs appearing in Log Analytics Workspace when using Azure Policy for Public IP addresses?

Question

I'm having trouble collecting diagnostic logs in Log Analytics Workspace for Azure Public IP addresses using an Azure Policy. I've applied the built-in policy 'Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard' with the parameter set to "DeployIfNotExists". The policy assignment is completed, and resources are compliant. However, even after enabling diagnostic settings for the resources with Log Analytics Workspace as the destination, I'm not getting any output when querying the logs. I've verified the tables, but no Azure diagnostics table is showing up. As a co-administrator on the subscription, I'm seeking assistance to identify the missing configuration. Additionally, I'm wondering if there's a script available where I can replace specific values to create a custom policy, speeding up my work to resolve this issue. Can you help me with this?

Screenshot 2023-10-31 150120.png

Screenshot 2023-10-31 150316.png

Screenshot 2023-10-31 150431.png

Screenshot 2023-10-31 150526.png

Answer 1

Hi @Prabhjot Singh apologies for the delay.

Have you validated that with the policy enabled, the Test-PIP_Diag has Diagnostic Status enabled?

The policy enables in question enables the following categories to be enabled for metrics:

"logs": [
  {
    "category": "DDoSProtectionNotifications",
    "enabled": "[parameters('logsEnabled')]"
  },
  {
    "category": "DDoSMitigationFlowLogs",
    "enabled": "[parameters('logsEnabled')]"
  },
  {
    "category": "DDoSMitigationReports",
    "enabled": "[parameters('logsEnabled')]"
  }
]

I would also check your Azure DDoS protection plan. If your protection plan is in place, then you can look at simulation testing to verify your configuration.

If you done that as well, then we'll need work more closely with you to identify any underlying issues.