iCompaas Support

Description:

In Azure, diagnostic settings are used to collect and route log and metric data from Azure resources (such as Azure App Services, Azure Key Vault, Azure Virtual Machines, etc.) to various destinations such as Log Analytics, Event Hub, or Storage Account. Diagnostic settings allow you to define which categories of logs (e.g., Audit Logs, Performance Metrics, Error Logs) and metrics should be captured and sent to the configured destination.

Ensuring that the appropriate log categories are captured and sent is crucial for monitoring, troubleshooting, and maintaining compliance for your Azure resources. Categories like Audit Logs, Resource Logs, Metrics, and Error Logs provide valuable insights into the health, performance, and security of your Azure resources.

Rationale:

By configuring the appropriate Diagnostic Settings, you ensure that your logs contain relevant data, including:

• Performance data (e.g., CPU utilization, network traffic, disk I/O) for monitoring and performance analysis.
  

• Audit data for tracking configuration changes, security incidents, and access controls.
  

• Error logs to identify and troubleshoot failures and issues.
  

• Metrics for real-time monitoring and alerting.
  

Ensuring the correct categories are enabled will enable effective monitoring, improve security posture, and help you meet regulatory and compliance requirements.

Impact:

Configuring diagnostic settings to capture the correct categories of logs and metrics enhances monitoring, security auditing, and troubleshooting, but it may increase storage costs, especially if logs are stored long-term or if your environment generates high volumes of data. Proper log retention policies should be implemented to avoid unnecessary storage costs.

Default Value:

By default, diagnostic settings in Azure resources may not capture all log categories or may capture only essential logs (such as Resource Logs). You must manually configure diagnostic settings to include the appropriate categories for the resource.

Pre-requisites:

• Azure subscription with Azure resources (e.g., Virtual Machines, App Services, Storage Accounts).
  

• Owner or Contributor role permissions to configure diagnostic settings.
  

• Log Analytics workspace, Event Hub, or Storage Account for storing logs and metrics.
  

Audit:

1. Sign in to Azure portal as an Owner or Contributor.
   

2. Navigate to the resource (e.g., Virtual Machines, App Services, Key Vault, etc.) and review the diagnostic settings to ensure that the appropriate log categories are selected.
   

3. Verify that Diagnostic settings are configured to capture logs for relevant categories (e.g., Audit Logs, Error Logs, Performance Metrics).
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to the Resource:
   

   • In the Azure portal, search for the specific Azure resource (e.g., App Service, Virtual Machine, Key Vault, etc.) for which you want to enable diagnostic settings.
     

3. Go to Diagnostic Settings:
   

   • In the resource pane, under Monitoring, select Diagnostic settings.
     

4. Configure Diagnostic Settings:
                 In the Diagnostic settings pane, click + Add diagnostic setting.

   • Choose the relevant log categories you want to capture. Categories typically available for various resources include:
     

     • AuditLogs: Captures operations and changes performed on resources.
       

     • ServiceRequestLogs: Tracks the API requests made to a service.
       

     • Performance Metrics: Monitors metrics such as CPU usage, memory, disk I/O, etc.
       

     • Error Logs: Captures error data and failures related to the resource.
       

     • Resource Logs: Logs about operations that affect the resource.
       

   • Select the appropriate categories based on your requirements:
     

     • For a Virtual Machine: You might want to select Guest OS diagnostics, Performance metrics, and Resource logs.
       

     • For an App Service: You would likely enable App Service HTTP Logs, Audit logs, and Error logs.
       

     • For Key Vault: Enable Audit logs and Service request logs.
       

5. Choose Destination for Logs:
   

   • Under Destination details, select one or more destinations to send the logs to:
     

     • Log Analytics workspace: For querying and visualizing logs.
       

     • Storage Account: For long-term storage and retention of logs.
       

     • Event Hub: For streaming logs to external systems or SIEM tools.
       

6. Choose the relevant destination based on your organization's needs.
   

7. Set Retention Policy:
   

   • Configure a retention policy to define how long the logs will be kept. Logs can be retained for up to 2 years in Log Analytics or Storage Accounts.
     

   • Set a retention policy to align with your compliance or data storage needs.
     

8. Review and Apply Changes:
   

   • Review your settings, ensuring the appropriate categories are selected and the logs are directed to the right destination.
     

   • Click Save to apply the changes.
     

9. Verify Logs Are Captured:
   

   • After configuring the diagnostic settings, trigger activity on the resource (e.g., create or modify an App Service, perform an action on a Virtual Machine).
     

   • Go to your Log Analytics workspace (or Storage Account or Event Hub) and verify that the logs are being captured and sent as per your configuration.
     

Automate Diagnostic Settings with Azure CLI: To automate the configuration of diagnostic settings using Azure CLI, use the following command:

az monitor diagnostic-settings create \

  --resource <Resource-ID> \

  --name <Diagnostic-Setting-Name> \

  --workspace <Log-Analytics-Workspace-ID> \

  --logs '[{"category": "AuditLogs", "enabled": true}, {"category": "ServiceRequestLogs", "enabled": true}]'

11.  Replace <Resource-ID>, <Diagnostic-Setting-Name>, and <Log-Analytics-Workspace-ID> with the appropriate values for your environment.
    

12. Set Up Alerts (Optional):
    

    • You can set up alerts in Azure Monitor based on the diagnostic logs captured. For example, you can create alerts for when failed requests or denied access events are logged.
      

    • In Azure Monitor, go to Alerts and create a new alert rule based on the Diagnostic Logs.
      

13. Monitor Logs and Review:
    

    • Use Azure Monitor to regularly review the logs captured by Diagnostic Settings.
      

    • Create custom dashboards or queries to visualize the data, track trends, and detect issues in real-time.
      

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to the Resource:
   

   • Go to the resource in Azure portal.
     

3. Remove or Modify Diagnostic Setting:
   

   • In Diagnostic settings, locate the diagnostic setting you created for the resource.
     

   • Either delete the diagnostic setting or disable specific log categories to stop capturing logs.
     

4. Verify Log Collection Stopped:
   

   • After removing or modifying the diagnostic setting, check your Log Analytics workspace or Storage Account to ensure that logs are no longer being captured.
     

5. Test the Reverted Configuration:
   

   • Perform an action on the resource and confirm that no logs are being captured or sent to the destination.
     

References:

• Azure Monitor - Diagnostic Settings Overview
  Azure CLI - Manage Diagnostic Settings