Need help to send only storage account resource logs tolog analytic workspace using azure policy

Ankita Rani Patro 176 Reputation points
2022-05-05T19:14:24.153+00:00

I need help to send only resource logs of storage account to log analytic workspace. I have created a custom policy which is able to deploy diagnostic setting for sending resource logs to storage account. somehow compliance is not working.it says noncompliant though everything looks good. I see the reason is the top level storage account doesnot have resource logs so it keeps on filing. As below top storage account have only metric logs not the resource logs. SSo the policy z checking higher level and compliance z failing. ![199345-image.png][1] 199403-image.png ![199384-image.png][2] [1]: /api/attachments/199345-image.png?platform=QnA [2]: /api/attachments/199384-image.png?platform=QnA

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
827 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jim Britt [MSFT] 21 Reputation points Microsoft Employee
    2022-05-09T22:41:16.02+00:00

    anonymous user there is an option to create a custom policy for each Proxy Resource (blob, queue, file, table) under storage accounts that exist by leveraging the below example. This would mean creating 4 different policies for those or creating a more exotic single policy :). But please test the below as an option to unblock you. The below example is for queueServices. I've tested this one in the past and it has worked. Each proxy resourceType under a storage account that exists will have a specific namespace that you can leverage and create the custom policy for that following the same process. I have an update coming in my script here: https://aka.ms/AzPolicyScripts and https://aka.ms/AzPolicyPipeline that will make it easier for Storage Accounts but it is pending some work for some of our ResourceProviders before I can release. However, the custom policy below is a good test for you to review in your dev environment to see if it will work until they can update the storage policy that exists as a built in today.

       {  
         "mode": "All",  
         "policyRule": {  
           "if": {  
             "allOf": [  
               {  
                 "field": "type",  
                 "equals": "Microsoft.Storage/storageAccounts/queueServices"  
               }  
             ]  
           },  
           "then": {  
             "effect": "deployIfNotExists",  
             "details": {  
               "type": "Microsoft.Insights/diagnosticSettings",  
               "existenceCondition": {  
                 "allOf": [  
                   {  
                     "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",  
                     "equals": "[parameters('LogsEnabled')]"  
                   },  
                   {  
                     "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",  
                     "equals": "[parameters('MetricsEnabled')]"  
                   },  
                   {  
                     "field": "Microsoft.Insights/diagnosticSettings/workspaceId",  
                     "equals": "[parameters('logAnalytics')]"  
                   }  
                 ]  
               },  
               "roleDefinitionIds": [  
                 "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"  
               ],  
               "deployment": {  
                 "properties": {  
                   "mode": "incremental",  
                   "template": {  
                     "$schema": https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#,  
                     "contentVersion": "1.0.0.0",  
                     "parameters": {  
                       "name": {  
                         "type": "string"  
                       },  
                       "logAnalytics": {  
                         "type": "string"  
                       },  
                       "metricsEnabled": {  
                         "type": "string"  
                       },  
                       "logsEnabled": {  
                         "type": "string"  
                       },  
                       "profileName": {  
                         "type": "string"  
                       }  
                     },  
                     "variables": {},  
                     "resources": [  
                       {  
                         "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticSettings",  
                         "apiVersion": "2021-05-01-preview",  
                         "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]",  
                         "properties": {  
                           "workspaceId": "[parameters('logAnalytics')]",  
                           "metrics": [  
                             {  
                               "category": "AllMetrics",  
                               "enabled": "[parameters('metricsEnabled')]",  
                               "retentionPolicy": {  
                                 "enabled": false,  
                                 "days": 0  
                               }  
                             }  
                           ],  
                           "logs": [  
                             {  
                               "category": "StorageRead",  
                               "enabled": "[parameters('logsEnabled')]"  
                             },  
                             {  
                               "category": "StorageWrite",  
                               "enabled": "[parameters('logsEnabled')]"  
                             },  
                             {  
                               "category": "StorageDelete",  
                               "enabled": "[parameters('logsEnabled')]"  
                             }  
                           ],  
                           "logAnalyticsDestinationType": "Dedicated"  
                         }  
                       }  
                     ],  
                     "outputs": {  
                       "policy": {  
                         "type": "string",  
                         "value": "[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('name'))]"  
                       }  
                     }  
                   },  
                   "parameters": {  
                     "logAnalytics": {  
                       "value": "[parameters('logAnalytics')]"  
                     },  
                     "name": {  
                       "value": "[field('fullName')]"  
                     },  
                     "metricsEnabled": {  
                       "value": "[parameters('metricsEnabled')]"  
                     },  
                     "logsEnabled": {  
                       "value": "[parameters('logsEnabled')]"  
                     },  
                     "profileName": {  
                       "value": "[parameters('profileName')]"  
                     }  
                   }  
                 }  
               }  
             }  
           }  
         },  
         "parameters": {  
           "profileName": {  
             "type": "String",  
             "metadata": {  
               "displayName": "Profile Name for Config",  
               "description": "The profile name Azure Diagnostics"  
             }  
           },  
           "logAnalytics": {  
             "type": "String",  
             "metadata": {  
               "displayName": "logAnalytics",  
               "description": "The target Log Analytics Workspace for Azure Diagnostics",  
               "strongType": "omsWorkspace"  
             }  
           },  
           "metricsEnabled": {  
             "type": "String",  
             "metadata": {  
               "displayName": "Enable Metrics",  
               "description": "Enable Metrics - True or False"  
             },  
             "allowedValues": [  
               "True",  
               "False"  
             ],  
             "defaultValue": "False"  
           },  
           "logsEnabled": {  
             "type": "String",  
             "metadata": {  
               "displayName": "Enable Logs",  
               "description": "Enable Logs - True or False"  
             },  
             "allowedValues": [  
               "True",  
               "False"  
             ],  
             "defaultValue": "True"  
           }  
         }  
       }  
    
    1 person found this answer helpful.
    0 comments No comments