Exporting Azure Management Group Logs to Log Analytics Workspace and Event Hub

Question

How can I export Azure management group activity logs to a Log Analytics Workspace and Event Hub, and why might the logs not appear after setting up diagnostic settings?

PS - Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.

Answer 1

To export Azure management group activity logs to a Log Analytics Workspace (LAW) and Event Hub, you need to create a diagnostic setting for the management group. This can be achieved by using the Azure Management Group Diagnostic Settings API.

When setting up a Management Group Diagnostic Setting, it is important to note that it only needs to be created for the highest-level Management Group in a hierarchy. If there are multiple Management Groups nested within each other, only the highest level requires a Diagnostic Setting. The events from the lower Management Groups will still be exported using this singular Diagnostic Setting.

Events exported in this way will have a field called "Hierarchy" which will define which Management Group they sourced from.

If you have set up the diagnostic settings but are not seeing the logs, it is possible that the diagnostic setting rule was removed. Confirm that the rule is still in place. If it has been removed, reapply the diagnostic settings.

Here are the steps to set up and troubleshoot:

1. Use the API to create or update the diagnostic settings for your management group. Refer to the documentation: Management Group Diagnostic Settings API.
2. Ensure the settings are applied to the highest-level management group.
3. Verify that the diagnostic settings are not accidentally removed.

After following these steps, you should be able to export Azure management group activity logs to a Log Analytics Workspace and Event Hub successfully.

Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.