As we start to plan a consolidation of our Log Analytics Workspaces and cleaning up years of partial implementations, we needed to discover all resources that have diagnostic settings configured.
Objectives
- search through all subscriptions
- provide the following details
- Resource in question
- Configured Diagnostic Settings
- Details on what metrics and logs are configured
- Export it to a CSV file
- Store results in a PS Object that i can further query/refine
Background
A little bit about what Platform Logs/Diagnostic Logs are:
Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained. This article provides an overview of platform logs including what information they provide and how you can configure them for collection and analysis.
Overview of Azure platform logs – Azure Monitor | Microsoft Docs
Most resources in Azure gives you the opportunity to add Diagnostic Settings to send to one of three destinations.
- Log Analytics
- Event Hub
- Storage Account
The Script
Looking online I couldn’t find anything that offered quite what i wanted to achieve so I put together the following script. It does take some time to run on large environments and is not optimised for performance.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
<# .SYNOPSIS Get all Azure Diagnostics settings for Azure Resources .DESCRIPTION Script cycles through all Subscriptions available to account, and checks every resource for Diagnostic Settings configuration. All configuration details are stored in an array ($DiagResults) as well as exported to a CSV in the current running directory. .NOTES Ivan Dretvic | 2020-01-07 | https://ivan.dretvic.com/?p=1085 #> # Install and login with Connect-AzAccount and skip when using Azure Cloud Shell If ($null -eq (Get-Command -Name Get-CloudDrive -ErrorAction SilentlyContinue)) { If ($null -eq (Get-Module Az -ListAvailable -ErrorAction SilentlyContinue)){ Write-Host "Installing Az module from default repository" Install-Module -Name Az -AllowClobber } Write-Host "Importing Az" Import-Module -Name Az Write-Host "Connecting to Az" Connect-AzAccount } # Get all Azure Subscriptions $Subs = Get-AzSubscription # Set array $DiagResults = @() # Loop through all Azure Subscriptions foreach ($Sub in $Subs) { Set-AzContext $Sub.id | Out-Null Write-Host "Processing Subscription:" $($Sub).name # Get all Azure resources for current subscription $Resources = Get-AZResource # Get all Azure resources which have Diagnostic settings enabled and configured foreach ($res in $Resources) { $resId = $res.ResourceId $DiagSettings = Get-AzDiagnosticSetting -ResourceId $resId -WarningAction SilentlyContinue -ErrorAction SilentlyContinue | Where-Object { $_.Id -ne $null } foreach ($diag in $DiagSettings) { If ($diag.StorageAccountId) { [string]$StorageAccountId= $diag.StorageAccountId [string]$storageAccountName = $StorageAccountId.Split('/')[-1] } If ($diag.EventHubAuthorizationRuleId) { [string]$EventHubId = $diag.EventHubAuthorizationRuleId [string]$EventHubName = $EventHubId.Split('/')[-3] } If ($diag.WorkspaceId) { [string]$WorkspaceId = $diag.WorkspaceId [string]$WorkspaceName = $WorkspaceId.Split('/')[-1] } # Store all results for resource in PS Object $item = [PSCustomObject]@{ ResourceName = $res.name DiagnosticSettingsName = $diag.name StorageAccountName = $StorageAccountName EventHubName = $EventHubName WorkspaceName = $WorkspaceName # Extracting delatied porerties into string format. Metrics = ($diag.Metrics | ConvertTo-Json -Compress | Out-String).Trim() Logs = ($diag.Logs | ConvertTo-Json -Compress | Out-String).Trim() Subscription = $Sub.Name ResourceId = $resId DiagnosticSettingsId = $diag.Id StorageAccountId = $StorageAccountId EventHubId = $EventHubId WorkspaceId = $WorkspaceId } Write-Host $item # Add PS Object to array $DiagResults += $item } } } # Save Diagnostic settings to CSV as tabular data $DiagResults | Export-Csv -Force -Path ".\AzureResourceDiagnosticSettings-$(get-date -f yyyy-MM-dd-HHmm).csv" Write-Host 'The array $DiagResults can be used to further refine results within session.' Write-Host 'eg. $DiagResults | Where-Object {$_.WorkspaceName -like "LAW-LOGS01"}' |
The Results
The output comes in two ways:
CSV Output
Here i export the output to a CSV file called AzureResourceDiagnosticSettings-2020-01-07-00-0000.csv in the current running directory. It contains the following columns:
- ResourceName – The resource being questioned
- DiagnosticSettingsName – The name given to the Diag Setting
- StorageAccountName
- EventHubName
- WorkspaceName
- Metrics – JSON extract of the specific Metrics details
- Logs- JSON extract of the specific Logs details
- Subscription – Which subscription it belongs to
- ResourceId
- DiagnosticSettingsId
- StorageAccountId
- EventHubId
- WorkspaceId
PowerShell Array
With the CSV, you can edit it in Excel and do pretty much anything from here on, but while you are in PowerShell, you can still use it as an PS Object. The Array is still available to do further queries, refinements, or automation.
I specifically carry across the ID’s of all the necessary objects so that they can be used downstream. Simply running the following command would filter the results to a specific Workspace:
Example of the CSV output below so you get a feel for what you expect to get in the end.
Resources
Overview of Azure platform logs – Azure Monitor | Microsoft Docs
Get-AzDiagnosticSetting (Az.Monitor) | Microsoft Docs
Finding Diagnostic Settings Configuration for Azure Resources – CHARBEL NEMNOM