In this article, I will share with you how to find the diagnostic settings configuration for all Azure resources in your Azure Subscription with PowerShell.

Introduction

Platform logs in Azure provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained. Current destinations include Log Analytics workspace, Event Hubs, and Azure Storage.

The platform logs include Azure resources (resource logs), Azure Subscription (Activity logs), and Azure Tenant (Azure Active Directory logs). And each Azure resource requires its own diagnostic setting, which defines the following criteria:

• Categories of logs and metric data sent to the destinations defined in the setting. The available categories will vary for different resource types.
• You can send the logs to one or more of the 3 destinations below depending on your monitoring requirements.
  • Storage account
  • Event Hub
  • Log Analytics workspace

Please note that a single diagnostic setting can define only one of each of the destinations. If you want to send the logs to more than one of a particular destination type (for example, two different storage accounts), then you need to create multiple diagnostic settings. At the time of this writing, each resource can have up to 5 diagnostic settings.

I have recently come across a challenging scenario where I want to find the diagnostic settings configuration for all my Azure resources which reside in multiple Azure subscriptions. And some Azure resources have more than one diagnostic settings configured as well.

After some digging, I’ve found that I can pull the diagnostics settings configuration for each Azure resource with PowerShell.

In this article, I will share with you the PowerShell script that helped me to pull out all the diagnostics settings configuration for all my Azure resources.

Get Azure Diagnostic Settings Configuration

Assuming you have the right permissions and the latest AZ and AZ Monitor PowerShell module installed, log in with Connect-AzAccount if NOT using Cloud Shell and run the following script:

# Login with Connect-AzAccount if not using Cloud Shell
Connect-AzAccount

# Get all Azure Subscriptions
$azSubs = Get-AzSubscription

# Loop through all Azure Subscriptions
foreach ($azSub in $azSubs) {
    Set-AzContext $azSub.id | Out-Null

# Set array
$azlogs = @()

    # Get all Azure resources deployed in each Subscription
    $azResources = Get-AZResource

    # Get all Azure resources which have Diagnostic settings enabled and configured
    foreach ($azResource in $azResources) {
        $resourceId     = $azResource.ResourceId
        $azDiagSettings = Get-AzDiagnosticSetting -ResourceId $resourceId | Where-Object {$_.Id -ne $NULL}
        foreach ($azDiag in $azDiagSettings) {
            If ($azDiag.StorageAccountId) {
                [string]$storage = $azDiag.StorageAccountId
                [string]$storageAccount = $storage.Split('/')[-1]
            }
            If ($azDiag.WorkspaceId) {
                [string]$workspace = $azDiag.WorkspaceId
                [string]$logAnalytics = $workspace.Split('/')[-1]
            }
            If ($azDiag.EventHubAuthorizationRuleId) {
                [string]$eHub = $azDiag.EventHubAuthorizationRuleId
                [string]$eventHub = $eHub.Split('/')[-3]
            }
            [string]$resource     = $azDiag.id
            [string]$resourceName = $resource.Split('/')[-5]
            $azlogs +=  @($("Diagnostic setting name: " + $azDiag.Name), ("Azure Resource name: " + $resourceName), `
                        ("Logs: " + $azDiag.Logs), ("Metrics: " + $azDiag.Metrics), `
                        ("Storage Account Name: " + $storageAccount), ("Log Analytics workspace: " + $logAnalytics), `
                        ("Event Hub Namespace: " + $eventHub))
            $azlogs += @(" ")
        }
    }
        # Save Diagnostic settings report for each Azure Subscription
        $azSubName = $azSub.Name
        $azlogs > .\$azSubName.txt
}

From the example above, I am pulling the following information:

• Diagnostic Settings Name
• Azure Resource Name
• Logs
  • Enabled (True or False)
  • Category
  • Retention Policy
• Metrics
  • Enabled (True or False)
  • Category
  • Retention Policy
• Storage account Name
• Log Analytics Workspace
• Event Hub Namespace

The Diagnostic settings configuration report will be saved in the current working path following the Azure Subscription name.

In my example, the output looks like this.

That’s it there you have it!

I am planning to improve this tool in the future. If you have any feedback or changes that everyone should receive, please feel free to share your thoughts in the comment section below.

Summary

In this article, I showed you how to find the diagnostic settings configuration for all Azure resources in your subscription with Azure PowerShell.

To learn more about diagnostic settings, please check the official documentation from Microsoft here.

To learn more about the Azure resource logs, please check the official documentation from Microsoft here.

To learn more about the Azure Activity log, please check the official documentation from Microsoft here.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts