question

AnkitaRaniPatro-9753 avatar image
0 Votes"
AnkitaRaniPatro-9753 asked jimbritt answered

Need help to send only storage account resource logs tolog analytic workspace using azure policy

I need help to send only resource logs of storage account to log analytic workspace. I have created a custom policy which is able to deploy diagnostic setting for sending resource logs to storage account. somehow compliance is not working.it says noncompliant though everything looks good. I see the reason is the top level storage account doesnot have resource logs so it keeps on filing. As below top storage account have only metric logs not the resource logs. SSo the policy z checking higher level and compliance z failing. ![199345-image.png][1] 199403-image.png ![199384-image.png][2] [1]: /answers/storage/attachments/199345-image.png [2]: /answers/storage/attachments/199384-image.png

azure-policy
· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewBlumhardt-1137 avatar image AndrewBlumhardt-1137 ·

Could it be a permission issue? Do you have the ability to recreate the resource? Do you see the same issue on newly created storage accounts? You might consider opening a support ticket if you have a Microsoft resource.

0 Votes 0 ·
AnkitaRaniPatro-9753 avatar image AnkitaRaniPatro-9753 ·

no even if i am creating new storage account same issue is happening.

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image AndrewBlumhardt-1137 ·

I will ask around internally. I may not get a response until Monday. Assuming nobody else posts a response here sooner. Though this sound like something that will require a support case.

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image AndrewBlumhardt-1137 ·

Are you at the storage account level and not drilling into each data storage type? Those logs categories should show up under each storage type, blob, queue, table, etc. [provided by someone smarter than myself]

0 Votes 0 ·
AnkitaRaniPatro-9753 avatar image AnkitaRaniPatro-9753 AndrewBlumhardt-1137 ·

I am at storage account level. But not sure what logic I need to use to drill in to each data storage level.
Itried to use microsoft.storage/storageaccounts/blobstorage but it did not work for me

0 Votes 0 ·
SwathiDhanwada-MSFT avatar image SwathiDhanwada-MSFT ·

anonymous user Thanks for reaching out. This is a known issue. If you configure a top-level storage account for the Transaction Metrics and then assign this policy, then trigger policy compliance, then remediate, it will skip any proxy resources that are under a storage account that has already been configured.

Due to the existence condition if policy check Microsoft.Storage/storageAccounts configured for Metrics, it sees the entire thing as compliant and skips over the proxy resources because there is no work to do according to the compliance check. And the policy shows as compliant.

This has been reported product team and the related work is in progress and there is no ETA as of now yet.


0 Votes 0 ·

1 Answer

jimbritt avatar image
1 Vote"
jimbritt answered

anonymous user there is an option to create a custom policy for each Proxy Resource (blob, queue, file, table) under storage accounts that exist by leveraging the below example. This would mean creating 4 different policies for those or creating a more exotic single policy :). But please test the below as an option to unblock you. The below example is for queueServices. I've tested this one in the past and it has worked. Each proxy resourceType under a storage account that exists will have a specific namespace that you can leverage and create the custom policy for that following the same process. I have an update coming in my script here: https://aka.ms/AzPolicyScripts and https://aka.ms/AzPolicyPipeline that will make it easier for Storage Accounts but it is pending some work for some of our ResourceProviders before I can release. However, the custom policy below is a good test for you to review in your dev environment to see if it will work until they can update the storage policy that exists as a built in today.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts/queueServices"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
              "equals": "[parameters('LogsEnabled')]"
            },
            {
              "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
              "equals": "[parameters('MetricsEnabled')]"
            },
            {
              "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
              "equals": "[parameters('logAnalytics')]"
            }
          ]
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#,
              "contentVersion": "1.0.0.0",
              "parameters": {
                "name": {
                  "type": "string"
                },
                "logAnalytics": {
                  "type": "string"
                },
                "metricsEnabled": {
                  "type": "string"
                },
                "logsEnabled": {
                  "type": "string"
                },
                "profileName": {
                  "type": "string"
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticSettings",
                  "apiVersion": "2021-05-01-preview",
                  "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                  "properties": {
                    "workspaceId": "[parameters('logAnalytics')]",
                    "metrics": [
                      {
                        "category": "AllMetrics",
                        "enabled": "[parameters('metricsEnabled')]",
                        "retentionPolicy": {
                          "enabled": false,
                          "days": 0
                        }
                      }
                    ],
                    "logs": [
                      {
                        "category": "StorageRead",
                        "enabled": "[parameters('logsEnabled')]"
                      },
                      {
                        "category": "StorageWrite",
                        "enabled": "[parameters('logsEnabled')]"
                      },
                      {
                        "category": "StorageDelete",
                        "enabled": "[parameters('logsEnabled')]"
                      }
                    ],
                    "logAnalyticsDestinationType": "Dedicated"
                  }
                }
              ],
              "outputs": {
                "policy": {
                  "type": "string",
                  "value": "[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('name'))]"
                }
              }
            },
            "parameters": {
              "logAnalytics": {
                "value": "[parameters('logAnalytics')]"
              },
              "name": {
                "value": "[field('fullName')]"
              },
              "metricsEnabled": {
                "value": "[parameters('metricsEnabled')]"
              },
              "logsEnabled": {
                "value": "[parameters('logsEnabled')]"
              },
              "profileName": {
                "value": "[parameters('profileName')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {
    "profileName": {
      "type": "String",
      "metadata": {
        "displayName": "Profile Name for Config",
        "description": "The profile name Azure Diagnostics"
      }
    },
    "logAnalytics": {
      "type": "String",
      "metadata": {
        "displayName": "logAnalytics",
        "description": "The target Log Analytics Workspace for Azure Diagnostics",
        "strongType": "omsWorkspace"
      }
    },
    "metricsEnabled": {
      "type": "String",
      "metadata": {
        "displayName": "Enable Metrics",
        "description": "Enable Metrics - True or False"
      },
      "allowedValues": [
        "True",
        "False"
      ],
      "defaultValue": "False"
    },
    "logsEnabled": {
      "type": "String",
      "metadata": {
        "displayName": "Enable Logs",
        "description": "Enable Logs - True or False"
      },
      "allowedValues": [
        "True",
        "False"
      ],
      "defaultValue": "True"
    }
  }
}

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.