Azure

Getting Diagnostic Settings for all resources

One needs to enable Diagnostic Settings to gain detailed insight into the Azure infrastructure.

For example you want to see who has accessed Azure Key Vault, or what kind of traffic is allowed/denied in Azure Firewall, or what clients using which authentication method are accessing your Azure Storage Accounts.

To gain any of this insight into the infrastructure, you need Diagnostic Settings. This is specially true for customers who are doing full scale cloud transformation and moving from their private data centers to Azure public cloud. From the operational excellency aspect, you might also want to know at some point what are the resources in Azure which have diagnostic settings set.

A diagnostic setting log can be usually sent to three different places,

  • Azure Storage – Usually on a cool tier, for long term storage, that can be rehyderated for any querying. This log destination is not indented for active querying of logs
  • Log Analytics Workspace – For active querying using KQL. With this you can quickly query the logs in a near realtime fashion as the logs land in the Log Analytics Workspace
  • Event Hub – for integration. This is usually used when you want to ship the log off site, send to a SOC team, or most commonly, integrate with an off site SIEM like Splunk.

I wrote this nice searching script that can query all resources within all Azure subscriptions and scan them for all active Diagnostic Settings. Because Azure Storage account have 4 sub types, I modified this script such that it can also find Diagnostic Settings for those sub types of Queues, Blobs, Fileshares, and Tables.

$azSubs = Get-AzSubscription

foreach ($azSub in $azSubs) {
    Set-AzContext $azSub.id | Out-Null
$azlogs = @()

$Resources = Get-AzResource 
foreach ($r in $Resources) 
{
$Ids = @()
$ResourceId=$r.ResourceId
 
if($ResourceId.Contains("/Microsoft.Storage/"))
{
$Ids = @($ResourceId + "/blobServices/default"
        $ResourceId + "/fileServices/default"
        $ResourceId + "/queueServices/default"
        $ResourceId + "/tableServices/default")
} else{
 $Ids = @($ResourceId)
}
    write-host $ResourceId
    $Ids | ForEach-Object {
    $azDiag = Get-AzDiagnosticSetting -ResourceId $_  
    $storageAccount=""
    $logAnalytics=""
    $eventHub=""
     If ($azDiag.StorageAccountId) {
                [string]$storage = $azDiag.StorageAccountId
                [string]$storageAccount = $storage.Split('/')[-1]
            }
            If ($azDiag.WorkspaceId) {
                [string]$workspace = $azDiag.WorkspaceId
                [string]$logAnalytics = $workspace.Split('/')[-1]
            }
            If ($azDiag.EventHubAuthorizationRuleId) {
                [string]$eHub = $azDiag.EventHubAuthorizationRuleId
                [string]$eventHub = $eHub.Split('/')[-3]
            }
      
      if($storageAccount -Or $logAnalytics -Or $eventHub){
   $v=@($(("" + $_ + "`t" + $storageAccount + "`t" + $logAnalytics + "`t" + $eventHub)))
    $azlogs +=  $v
          Write-Host  $v
      }
   }
 }
     $azSubName = $azSub.Name
  $azlogs >> .\$azSubName.txt
}

 

 

Leave a Reply