Description:

Storage Logging for Azure Queue service captures detailed information about all requests made to the queue endpoint, including read, write, and delete operations. When enabled, it records essential metadata such as timestamps, operation types, requester identity, IP address, and response status. This provides valuable visibility into how queue storage is accessed and used, supporting monitoring, troubleshooting, auditing, and operational analysis.

Rationale:

Enabling Storage Logging ensures that all interactions with the Azure Queue service are fully traceable. This is critical for:

  • Identifying unauthorized or anomalous activity

  • Supporting forensic investigations by providing historical operation data

  • Meeting compliance and governance requirements that mandate detailed access and modification logs

  • Maintaining strong operational oversight of message processing workflows

Impact:

  • Improves visibility into all queue service operations (read, write, delete)

  • Strengthens security monitoring and supports detailed audit trails

  • Facilitates troubleshooting and performance analysis for message processing issues

  • Generates additional log data, increasing storage consumption and associated cost

  • Requires ongoing management of retention and lifecycle policies for log data

Default Value:

Storage Logging for the Azure Queue service is disabled by default.

Pre-requisites:

  • Global Administrator or Security Administrator permissions 

  • Storage Account Must Support Queue Service Logging

Test Plan:

  1. Sign in to the Azure Portal.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. In the left-hand menu, under Monitoring, select Diagnostic settings.

  4. Confirm that logging is enabled for the Queue service, with Read, Write, and Delete operations selected.

  1. If it is disabled, follow the Implementation Steps.

Implementation Steps:

  1. Sign in to the Azure Portal.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. Under the Monitoring section, select Diagnostic settings and click on Queue services.

  1. Click Add diagnostic setting.

  1. In the diagnostic setting, provide a name, select all logs (Read, Write, and Delete), and choose the destination storage account to send the logs. And click save.

  1. The diagnostic setting will be created.

Backout plan:

  1. Sign in to the Azure Portal.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. Under Monitoring, select Diagnostic settings. Click Edit settings.

  4. Click on delete.

Reference: