Set up logging to monitor logic apps in Azure Security Center

When you monitor your Logic Apps resources in Microsoft Azure Security Center, you can review whether your logic apps are following the default policies. Azure shows the health status for a Logic Apps resource after you enable logging and correctly set up the logs' destination. This article explains how to configure diagnostic logging and make sure that all your logic apps are healthy resources.

Tip

To find the current status for the Logic Apps service, review the Azure status page, which lists the status for different products and services in each available region.

Prerequisites

Enable diagnostic logging

Before you can view the resource health status for your logic apps, you must first set up diagnostic logging. If you already have a Log Analytics workspace, you can enable logging either when you create your logic app or on existing logic apps.

Tip

The default recommendation is to enable diagnostic logs for Logic Apps. However, you control this setting for your logic apps. When you enable diagnostic logs for your logic apps, you can use the information to help analyze security incidents.

Check diagnostic logging setting

If you're not sure whether your logic apps have diagnostic logging enabled, you can check in Security Center:

  1. Sign in to the Azure portal.
  2. In the search bar, enter and select Security Center.
  3. On the Security Center dashboard menu, under General, select Recommendations.
  4. In the table of security suggestions, find and select Enable auditing and logging > Diagnostic logs in Logic Apps should be enabled in the table of security controls.
  5. On the recommendation page, expand the Remediation steps section and review the options. You can enable Logic Apps diagnostics by selecting the Quick Fix! button, or by following the manual remediation instructions.

View logic apps' health status

After you've enabled diagnostic logging, you can see the health status of your logic apps in Security Center.

  1. Sign in to the Azure portal.

  2. In the search bar, enter and select Security Center.

  3. On the Security Center dashboard menu, under General, select Inventory.

  4. On the inventory page, filter your assets list to show only Logic Apps resources. In the page menu, select Resource types > logic apps.

    The Unhealthy Resources counter shows the number of logic apps that Security Center considers unhealthy.

  5. In the list of logic apps resources, review the Recommendations column. To review the health details for a specific logic app, select a resource name, or select the ellipses button (...) > View resource.

  6. To remediate any potential resource health issues, follow the steps listed for your logic apps.

If diagnostic logging is already enabled, there might be an issue with the destination for your logs. Review how to fix issues with different diagnostic logging destinations.

Fix diagnostic logging for logic apps

If your logic apps are listed as unhealthy in Security Center, open your logic app in Code View in the Azure portal or through the Azure CLI. Then, check the destination configuration for your diagnostic logs: Azure Log Analytics, Azure Event Hubs, or an Azure Storage account.

Log Analytics and Event Hubs destinations

If you use Log Analytics or Event Hubs as the destination for your Logic Apps diagnostic logs, check the following settings.

  1. To confirm that you enabled diagnostic logs, check that the diagnostic settings logs.enabled field is set to true.
  2. To confirm that you haven't set a storage account as the destination instead, check that the storageAccountId field is set to false.

For example:

"allOf": [
    {
        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
        "equals": "true"
    },
    {
        "anyOf": [
            {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                "notEquals": "true"
            },
            {
                "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                "exists": false
            }
        ]
    }
] 

Storage account destination

If you use a storage account as the destination for your Logic Apps diagnostic logs, check the following settings.

  1. To confirm that you enabled diagnostic logs, check that the diagnostics settings logs.enabled field is set to true.
  2. To confirm that you enabled a retention policy for your diagnostic logs, check that the retentionPolicy.enabled field is set to true.
  3. To confirm you set a retention time of 0-365 days, check the retentionPolicy.days field is set to a number inclusively between 0 and 365.
"allOf": [
    {
        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
        "equals": "true"
    },
    {
        "anyOf": [
            {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                "equals": "0"
            },
            {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                "equals": "[parameters('requiredRetentionDays')]"
            }
          ]
    },
    {
        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
        "equals": "true"
    }
]