Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

How to route Subscription Activity logs to Azure Log Analytics workspace

·674 words·4 mins· 100 views · 5 likes ·
Azure CLI Azure PowerShell Connect-AzAccount Get-AzDiagnosticSetting

Sending resource logs to a Log Analytics workspace allows us to consolidate log entries from multiple resources and query the logs for complex analysis. In this post, I want to show you how to manage diagnostic settings for your subscription and send the Activity logs data to your Log Analytics workspace.

Prerequisites>

Prerequisites #

  • This tutorial assumes that you already have a Log Analytics Workspace. You can use an existing Workspace, or if you want to create a new one, check out this link.
Azure PowerShell Workaround>

Azure PowerShell Workaround #

The simplest way to get started is to sign in interactively at the command line.

Connect-AzAccount

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"

Once you set your default subscription, you’re ready to start.

Set the variables>

Set the variables #

Here, we define the characteristics of our environment and the resource’s properties.

$resourceGroupName="RG-DEMO-HUB"
$logAnalyticsName="LAW-DEMO-HUB"

To improve the visualization of the following commands, I will store the resources into variables.

$subscription = Get-AzSubscription `
    -SubscriptionName "My Subscription"

$logAnalytics = Get-AzOperationalInsightsWorkspace `
    -Name $logAnalyticsName `
    -ResourceGroupName $resourceGroupName
Check the categories supported for diagnostic settings>

Check the categories supported for diagnostic settings #

To get the list of categories of diagnostic settings, use the Get-AzSubscriptionDiagnosticSettingCategory cmdlet.

Get-AzSubscriptionDiagnosticSettingCategory

Get-AzSubscriptionDiagnosticSettingCategory

Sets the log settings for the Subscription>

Sets the log settings for the Subscription #

Once the supported categories are known, you should create the PSLogSettings object. To do this, use the New-AzDiagnosticDetailSetting cmdlet with the following syntax.

$logs = New-AzDiagnosticDetailSetting `
    -Log `
    -RetentionInDays 90 `
    -RetentionEnabled `
    -Enabled `
    -Category Security

And then, you need to create a PSServiceDiagnosticSettings object. To do this, you should use the New-AzDiagnosticSetting cmdlet. This will be used as a parameter in the final step to set diagnostic settings on your subscription.

$settings = New-AzDiagnosticSetting `
    -SubscriptionId $subscription.Id `
    -Name "ExportToLogAnalytics" `
    -WorkspaceId $logAnalytics.ResourceId `
    -Setting $logs

Finally, use the Set-AzDiagnosticSetting cmdlet to set the desired log settings for the resource.

Set-AzDiagnosticSetting `
    -InputObject $settings
Verify the changes made>

Verify the changes made #

To verify the established diagnostic settings, you should use the Get-AzDiagnosticSetting cmdlet with the following syntax.

Get-AzDiagnosticSetting `
    -SubscriptionId $subscription.Id
Remove diagnostic settings>

Remove diagnostic settings #

If you want to remove the diagnostic setting for the Azure subscription, you should use the Remove-AzDiagnosticSetting cmdlet with the following syntax.

Remove-AzDiagnosticSetting `
    -SubscriptionId $subscription.Id
Azure CLI Workaround>

Azure CLI Workaround #

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.

resourceGroupName="RG-DEMO-HUB"
logAnalyticsName="LAW-DEMO-HUB"

To improve the visualization of the following commands, I will store the resources into variables.

logAnalyticsid=$(az monitor log-analytics workspace show \
-n $logAnalyticsName \
-g $resourceGroupName \
--query id \
--output tsv)

subscriptionid=$(az account show \
--query id \
--output tsv)
Sets the log settings for the Subscription>

Sets the log settings for the Subscription #

To route the Activity logs, you should use the following command.

az monitor diagnostic-settings subscription create \
--workspace $logAnalyticsid \
--name "ExportToLogAnalytics" \
--location $location \
--logs '[{"category":"Security","enabled":true}]'
Verify the changes made>

Verify the changes made #

To verify the established diagnostic settings, you should use the following command.

az monitor diagnostic-settings subscription list

Activity Logs

Remove diagnostic settings>

Remove diagnostic settings #

If you want to remove the diagnostic setting for subscription, you should use the following command.

az monitor diagnostic-settings subscription delete \
--name "ExportToLogAnalytics"

Thanks for reading my post. I hope you find it helpful.

If you want to know more about the Azure Activity log, check out this link.