Description:

Azure Monitor Resource Logging provides real-time monitoring and logging for Azure resources, helping you track and analyze resource utilization, performance, security, and compliance. Enabling resource logging for services that support it ensures that detailed data about your resources' operations, failures, and performance metrics are collected and can be analyzed. This is crucial for maintaining the health, security, and optimization of your Azure resources.

Enabling Azure Monitor Resource Logging allows organizations to:

             Track operational health and performance issues.

  • Monitor resource utilization and detect potential anomalies.

  • Ensure compliance by maintaining logs for auditing purposes.

  • Troubleshoot issues in real-time or retrospectively.

Rationale:

Enabling Azure Monitor Resource Logging for supported services allows you to capture and analyze detailed logs related to resource operations, system failures, and user activity. This capability is critical for ensuring that your Azure resources are performing optimally, detecting security incidents, and ensuring compliance with industry regulations.

By configuring resource logging, organizations gain insights into the behavior of their applications and infrastructure, enabling quick response to performance degradation, security threats, or operational failures.

Impact:

Enabling resource logging across all relevant services improves monitoring, security, and troubleshooting capabilities. However, it can increase storage costs due to the volume of log data generated, particularly for high-traffic services. Managing log retention policies and ensuring efficient log storage are essential to balancing costs and maintaining operational insights.

Default Value:

By default, Azure Monitor Resource Logging is not enabled for all resources. It needs to be manually configured for each resource or service to ensure logs are captured.

Pre-requisites:

  • Azure subscription.

  • Owner or Contributor permissions for enabling logging.

  • Azure Monitor configured to collect and store logs.

  • Log Analytics workspace set up for storing and analyzing logs.

Audit:

  1. Sign in to Azure portal as an Owner or Contributor.

  2. Navigate to Azure Monitor and review the list of resources and services for which logging is enabled.

  3. Ensure that logging is enabled for all supported resources, such as Virtual Machines, App Services, Storage Accounts, Databases, and Network Security Groups.

Implementation Steps (Manual):

  1. Sign in to Azure portal:

    • Use an account with Owner or Contributor permissions.

  2. Navigate to Azure Monitor:

    • In the Azure portal, search for Azure Monitor and select it from the search results.

  3. Configure Resource Logging for Services:

    • Under Azure Monitor, go to the Activity Log to monitor actions and changes to resources.

    • Navigate to the Diagnostic settings section to configure logging for individual resources.

    • For each service (e.g., VMs, App Services, Storage Accounts):

      • Go to the resource (e.g., VM > Monitoring > Diagnostics settings).

      • Enable diagnostic logging and select the log categories you want to capture (e.g., Audit logs, Performance logs, Security logs).

      • Select the destination for the logs: Log Analytics workspace, Storage account, or Event Hub.

      • Click Save to apply the configuration.

  4. Enable Resource Logging for Virtual Machines:

    • Go to the Virtual Machine resource in the Azure portal.

    • Under Monitoring, select Diagnostic settings.

    • Enable Boot diagnostics, Guest OS diagnostics, and Performance counters to track the VM’s performance and health.

  5. Enable Resource Logging for App Services:

    • Go to the App Service in the Azure portal.

    • Under Monitoring, select Diagnostic settings.

    • Enable Application Logging, Web Server Logging, and Detailed Error Messages to capture logs related to the app's performance and errors.

  6. Enable Resource Logging for Azure Storage Accounts:

    • Go to the Storage account in the Azure portal.

    • Under Monitoring, select Diagnostics settings.

    • Enable Blob service logging, File service logging, and Queue service logging to monitor activity on your storage resources.

  7. Enable Resource Logging for Network Resources:

    • For Network Security Groups (NSGs), enable Flow Logs under Network Watcher.

    • For Azure Load Balancers, ensure that Load Balancer diagnostic logs are enabled.

    • For Application Gateway, enable Application Gateway access logs and Performance logs.

  8. Configure Log Analytics Workspace:

    • Ensure that all logs from the resources are being sent to a Log Analytics workspace.

    • In the Azure portal, create or select a Log Analytics workspace.

    • Link the Diagnostic settings for each resource to this workspace to centralize log collection.

  9. Review and Monitor Logs:

    • Once logging is enabled for the resources, use Azure Monitor to analyze the logs.

    • Set up log queries in Log Analytics to retrieve specific logs based on your monitoring needs (e.g., performance bottlenecks, errors, security incidents).

    • Configure alerts to notify administrators when certain thresholds are reached (e.g., high CPU usage, failed login attempts).

  10. Test Logging Configuration:

    • After enabling logging, test the configuration by generating traffic or events on the resources and verifying that logs are correctly captured and stored in the Log Analytics workspace.

Backout Plan (Manual):

  1. Sign in to Azure portal:

    • Use an account with Owner or Contributor permissions.

  2. Navigate to Azure Monitor:

    • Go to Azure Monitor in the Azure portal.

  3. Disable Resource Logging:

    • For each resource that has diagnostic logging enabled, go to the Diagnostic settings section and disable logging for the desired categories (e.g., Audit logs, Performance logs).

    • Remove the configuration to send logs to Log Analytics workspace, Storage account, or Event Hub.

  4. Verify the Backout:

    • Ensure that logs are no longer being generated for the resources and that no diagnostic settings remain in place.

    • Monitor Azure Monitor to verify that logs are no longer being captured.

  5. Test the Reverted Configuration:

    • Generate events or traffic for the resources to verify that logging has been disabled.

References: