We've all been there right? Headed to your Log Analytics Workspace, KQL query at the ready - Only to find you've forgot to enable diagnostic settings on your resource. Surely there's an easier way to enrol diagnostic settings to your centralised Log Analytics Workspace? Well... there is - incomes Azure Policy.
Azure Policy is a service within Azure that enables organizations to create, assign, and manage policies. These policies define rules and effects over resources, identities, and groups, ensuring compliance and upholding security.
This guide details how to create an Azure Policy Definition to automate logging to a central log analytics workspace.
Create Initiative definition
In Azure, head over to Policy, and select "definitions" in this pane, select " + Initiative definition"
Give your definition an appropriate name, in this example I'm using "Diagnostic Settings to Log Analytics Workspace"
Under "Category" select "Use existing" and select "Monitoring" from the drop down.
Select "Next" and on the policies page select "Add policy definition(s)" search for "Deploy Diagnostic" and select all policies. At the time of writing there are 74 policies.
Add the policy to a relevant group if you use them, we'll skip group and Initiative parameters in this demo.
In Policy Parameters, select your Log Analytic Workspace. We're going to leave all the other parameters as default but you can differentiate between "Metrics" and "Logs" here, however, make sure your resource supports both before changing this. You'll need to set the workspace for each policy.
Assignment
Create an assignment, I have assigned this policy to the Root Management Group of my Landing Zone.
Remediation
You can also choose to create a remediation task, but keep in mind, you can only do this per policy and not to the whole definition.
Conclusion
In this step-by-step guide, we've covered off simplifying your "Diagnostic Settings" at scale approach. Log Analytics can be an area that's easily forgotten about but it's important to have a set approach to log gathering in Azure, especially when your environment starts to grow.
Comments