Description:

Azure Monitor Resource Logs provide detailed diagnostic and operational logging for Azure services. These logs capture platform-level events such as authentication, configuration changes, access attempts, network operations, and system actions.
Enabling Resource Logging ensures critical audit and diagnostic data is recorded and sent to a Log Analytics Workspace, Storage Account, or Event Hub.


Rationale:

If resource logging is not enabled, critical platform and diagnostic events may go unrecorded. This can lead to a lack of visibility into configuration changes, unauthorized activity, operational failures, and performance issues. Exporting logs ensures proper auditability and supports compliance, incident response, and proactive monitoring.


Impact:

Enabling logging provides comprehensive visibility into control-plane operations, supporting security investigations, proactive monitoring, and compliance audits. It ensures all critical resource actions are captured and sent to a central platform for analysis. However, enabling all log categories can increase Log Analytics ingestion costs, storage consumption, and event-processing overhead. Resource owners may also need to manage retention policies and configure role-based access to ensure only authorized teams can access logs.


Default Value:

Resource logging is disabled by default for most Azure services.


Pre-requisites:

  • Azure resources that support diagnostic settings.

  • A Log Analytics Workspace, Storage Account, or Event Hub for log export.

  • Permissions to configure Diagnostic settings on resources.


Test Plan:

  1. Sign in to the Azure Portal.

  2. Navigate to Azure Monitor 

  3. Under settings, open Diagnostic settings.

  4. Select the applicable subscription(s).

  5. Review the list of resources and the Diagnostics status column.

  6. Verify that all supported resources show Diagnostics status = Enabled.

  7. For any resource showing Disabled, follow the implementation steps.


Implementation Steps:

  1. Sign in to the Azure Portal.

  2. Navigate to Azure Monitor.

  3. Under Settings, select Diagnostic settings.

                              

  1. Select the required Subscription(s).

  2. Select a resource with Diagnostics status = Disabled.

  1. Click + Add diagnostic setting.

  1. Enter a Diagnostic setting name.

  2. Enable all relevant log categories.

  3. Enable Metrics (if available).

  4. Select at least one destination:

  5. Log Analytics Workspace (recommended), or

  6. Storage Account, or

  7. Event Hub

  1. Click Save.

Backout Plan:

  1. Sign in to the Azure Portal.

  2. Navigate to Azure Monitor.

  3. Under Settings, select Diagnostic settings.

  4. Select the applicable Subscription(s).

  5. Select the resource with diagnostic logging enabled.

  6. Select the configured Diagnostic setting.

  7. Click Delete and confirm the action.

Reference: