Send Subscription Activity Logs via ARM Template

ARM, Azure, Azure Monitor, Azure Sentinel, Governance, Log Analytics 1 Minute

At Ignite the Azure Monitor team has announced that you can now send subscription activity logs to Log Analytics. Wait? What? Isn’t that already available? And the answer yes it was available before but if we look closer you will see that the previous implementation was not very native to Azure. With the new implementation besides making the API better there are also other improvements like faster ingestion, ability to send different categories, etc.

Let’s have a look in ARM template how the previous implementation looked:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "logAnalyticsWorkspaceName": {
            "type": "string",
            "metadata": {
                "description": "The name of the log analytics workspace."
            }
        },
        "subscriptionIds": {
            "type": "array",
            "metadata": {
                "description": "IDs of Azure Subscriptions in array"
            }
        }
    },
    "variables": {
        "apiVersions": {
            "dataSources": "2015-11-01-preview"
        }
    },
    "resources": [
        {
            "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', replace(parameters('subscriptionIds')[copyIndex()], '-', ''))]",
            "type": "Microsoft.OperationalInsights/workspaces/dataSources",
            "apiVersion": "[variables('apiVersions').dataSources]",
            "copy": {
                "name": "activityLogsCopy",
                "count": "[length(parameters('subscriptionIds'))]"
            },
            "kind": "AzureActivityLog",
            "properties": {
                "linkedResourceId": "[concat('/subscriptions/', parameters('subscriptionIds')[copyIndex()], '/providers/Microsoft.Insights/eventTypes/management')]"
            }
        }
    ]
}

As you will see above this is resource group level deployment and you are deploying child resource to the Log Analytics workspace.

With the new implementation the API has the following improvements:

  • you are setting diagnostic settings on Azure Subscription just like any other resource in Azure
  • the deployment is at subscription level
  • you are just referencing the Log Analytics workspace
  • you can choose which Azure Activity log categories to send

At the end the ARM template looks like this:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "logAnalyticsWorkspaceId": {
            "type": "string",
            "metadata": {
                "description": "the resource id of the log analytics workspace"
            }
        }
    },
    "variables": {
        "apiVersions": {
            "diagnosticSettings": "2017-05-01-preview"
        }
    },
    "resources": [
        {
            "name": "subscriptionLogsToLogAnalytics",
            "type": "Microsoft.Insights/diagnosticSettings",
            "apiVersion": "[variables('apiVersions').diagnosticSettings]",
            "location": "Global",
            "properties": {
                "workspaceId": "[parameters('logAnalyticsWorkspaceId')]",
                "logs": [
                    {
                        "category": "Administrative",
                        "enabled": true
                    },
                    {
                        "category": "Security",
                        "enabled": true
                    },
                    {
                        "category": "ServiceHealth",
                        "enabled": true
                    },
                    {
                        "category": "Alert",
                        "enabled": true
                    },
                    {
                        "category": "Recommendation",
                        "enabled": true
                    },
                    {
                        "category": "Policy",
                        "enabled": true
                    },
                    {
                        "category": "Autoscale",
                        "enabled": true
                    },
                    {
                        "category": "ResourceHealth",
                        "enabled": true
                    }
                ]
            }
        }
    ]
}

I hope you will find this tip useful.

Published by Stanislav Zhelyazkov

Stanislav Zhelyazkov has been working in IT since 2007. Stanislav has started his IT career as a Help Desk Specialist in 2007 while studying Informatics in the University of Ruse. He also worked in HP Enterprise Services (now known as DXC), maintaining large corporate IT infrastructures for clients in Holland, Switzerland and Germany and was involved in a Private Cloud project based on MS Hyper-V and System Center. He was also in the role of Principal Consultant in Lumagate developing and consulting companies on Azure, OMS, management and Private clouds. Currently he is Cloud Infrastructure Engineer at Sentia Denmark. Stanislav is active community member at MSDN forums providing answers on Azure. His blogposts can be found at www.cloudadministrator.net or www.systemcentercentral.com.

Published

13 thoughts on “Send Subscription Activity Logs via ARM Template

  1. Thanks Stani for the ARM templates 🙂

    Just one detail – with the previous implementation not all Azure Acitivity Logs were ingested in Log Analytics workspace. For example ServiceHealth alerts were never ingested.

    Reply

    1. True. I think I have mentioned that you can select all categories. I haven’t mentioned which categories were available with the previous implementation. I know that there were a few that weren’t there and ServiceHealth was one of them.

      Reply

  2. Great blog, do you know if you can set a LA workspace in another subscription as the destination? Thanks

    Reply

    1. Thank you! Yes you can. As long as the workspace is in the same tenant you can set workspace in another subscription. Having one central workspace for the tenant is still possible and it is my recommendation.

      Reply
  3. Pingback: System Center Aralık 2019 Bülten – Sertaç Topal

  4. I’m trying to deploy this to a test subscription. I copied your example arm template as is and it does not work for me. I get the error:

    “Code”: “BadRequest”,
    “Message”: “”
    }’
    At line:1 char:1

    I know, not a very descriptive error. I’ve tried a few things but continue to get this error. Is this template successful for you? Any idea why mine would be failing?

    Reply

  5. I’m trying to deploy this to a test subscription. I copied your arm template as-is but it is not deploying successfully for me. I get this not very helpful error:

    “Code”: “BadRequest”,
    “Message”: “”
    }’
    At line:1 char:1

    Any idea why this template wouldn’t work for me?

    Thanks,
    Steven

    Reply
  6. Pingback: Azure Policy for Sending Azure Activity Logs – Cloud Administrator in Azure World
  7. Pingback: Tracking Issues with Resource Health and Log Analytics – Cloud Administrator in Azure World

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.