Updated – 08/03/2023 – The article was updated to export the list of resources that do NOT have Diagnostic Settings enabled and configured. Please feel free to leave a comment below for additional improvement.
In this article, we will share with you how to find the diagnostic settings configuration for all Azure resources in your Azure Subscription with PowerShell.
Table of Contents
Introduction
Platform logs in Azure provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained. Current destinations include Log Analytics workspace, Event Hubs, and Azure Storage.
The platform logs include Azure resources (resource logs), Azure Subscription (Activity logs), and Azure Tenant (Azure Active Directory logs). And each Azure resource requires its own diagnostic setting, which defines the following criteria:
> Categories of logs and metric data are sent to the destinations defined in the setting. The available categories will vary for different resource types.
> You can send the logs to one or more of the 3 destinations below depending on your monitoring requirements:
- Storage account
- Event Hub
- Log Analytics workspace
Please note that a single diagnostic setting can define only one of each of the destinations. If you want to send the logs to more than one of the particular destination types (for example, two different storage accounts), then you need to create multiple diagnostic settings. At the time of this writing, each resource can have up to 5 diagnostic settings.
We have recently come across a challenging scenario where we want to find the diagnostic settings configuration for all my Azure resources that reside in multiple Azure subscriptions. And some Azure resources have more than one diagnostic setting configured as well.
After some digging, we’ve found that we can pull the diagnostics settings configuration for each Azure resource with PowerShell or the Azure CLI.
In this article, we will share with you the PowerShell script that helped me to pull out all the diagnostics settings configuration for all Azure resources.
Get Azure Diagnostic Settings Configuration
Assuming you have the right permissions and the latest AZ and AZ Monitor PowerShell module installed, log in with Connect-AzAccount if NOT using Cloud Shell, and run the following PowerShell script:
<#
.Synopsis
A script used to export diagnostics settings configuration for all Azure resources.
.DESCRIPTION
A script used to find and export diagnostics settings configuration for Azure resources in all Azure Subscriptions.
Finally, it will save the report as a text file for each Azure Subscription.
.Notes
Created : 2020-11-16
Updated : 2022-06-16
Version : 1.0
Author : Charbel Nemnom
Twitter : @CharbelNemnom
Blog : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>
# Install and login with Connect-AzAccount and skip when using Azure Cloud Shell
If ($null -eq (Get-Command -Name Get-CloudDrive -ErrorAction SilentlyContinue)) {
If ($null -eq (Get-Module Az -ListAvailable -ErrorAction SilentlyContinue)){
Write-Output "Installing Az module from default repository..."
Install-Module -Name Az -AllowClobber
}
Write-Output "Importing Az Module..."
Import-Module -Name Az
Write-Output "Connecting to Azure..."
Connect-AzAccount
}
# Get all Azure Subscriptions
$azSubs = Get-AzSubscription
# Loop through all Azure Subscriptions
foreach ($azSub in $azSubs) {
Set-AzContext $azSub.id | Out-Null
# Set array
$azlogs = @()
# Get all Azure resources deployed in each Subscription
$azResources = Get-AZResource
# Get all Azure resources which have Diagnostic settings enabled and configured
foreach ($azResource in $azResources) {
$resourceId = $azResource.ResourceId
$azDiagSettings = Get-AzDiagnosticSetting -ResourceId $resourceId `
-WarningAction SilentlyContinue -ErrorAction SilentlyContinue | Where-Object {$_.Id -ne $NULL}
foreach ($azDiag in $azDiagSettings) {
If ($azDiag.StorageAccountId) {
[string]$storage = $azDiag.StorageAccountId
[string]$storageAccount = $storage.Split('/')[-1]
}
If ($azDiag.WorkspaceId) {
[string]$workspace = $azDiag.WorkspaceId
[string]$logAnalytics = $workspace.Split('/')[-1]
}
If ($azDiag.EventHubAuthorizationRuleId) {
[string]$eHub = $azDiag.EventHubAuthorizationRuleId
[string]$eventHub = $eHub.Split('/')[-3]
}
[string]$resource = $azDiag.id
[string]$resourceName = $resource.Split('/')[-5]
$azlogs += @($("Diagnostic setting name: " + $azDiag.Name), ("Azure Resource name: " + $resourceName), `
("Logs: " + $azDiag.Logs), ("Metrics: " + $azDiag.Metrics), `
("Storage Account Name: " + $storageAccount), ("Log Analytics workspace: " + $logAnalytics), `
("Event Hub Namespace: " + $eventHub))
$azlogs += @(" ")
}
}
# Save Diagnostic settings report for each Azure Subscription
$azSubName = $azSub.Name
$azlogs > .\$azSubName.txt
}From the example above, I am pulling the following information:
- Diagnostic Settings Name
- Azure Resource Name
- Logs
- Enabled (True or False)
- Category
- Retention Policy
- Metrics
- Enabled (True or False)
- Category
- Retention Policy
- Storage Account Name
- Log Analytics Workspace
- Event Hub Namespace
The Diagnostic settings configuration report will be saved in the current working path following the Azure Subscription name.
In my example, the output looks like this.
Please note that this approach is not perfect in any way, but I think it serves its purpose. You could export all the records to a CSV file for easy reading instead of a text file, and so on.
I am planning to improve this tool in the future. If you have any feedback or changes that everyone should receive, please feel free to share your thoughts in the comment section below.
Find Resources Without Diagnostic Settings Enabled
A new question came up recently from one of my blog readers is the following:
I would like to see what resources that do not have Diagnostic Settings applied or configured. Is there any way to list which are not enabled?
The short answer is YES!
You can find a PowerShell example below that list all Azure resources that do not have Diagnostic Settings configured.
# Install and login with Connect-AzAccount and skip when using Azure Cloud Shell
If ($null -eq (Get-Command -Name Get-CloudDrive -ErrorAction SilentlyContinue)) {
If ($null -eq (Get-Module Az -ListAvailable -ErrorAction SilentlyContinue)) {
Write-Output "Installing Az module from default repository..."
Install-Module -Name Az -AllowClobber
}
Write-Output "Importing Az Module..."
Import-Module -Name Az
Write-Output "Connecting to Azure..."
Connect-AzAccount
}
# Get all Azure Subscriptions
$azSubs = Get-AzSubscription
# Loop through all Azure Subscriptions
foreach ($azSub in $azSubs) {
Set-AzContext $azSub.id | Out-Null
# Set array
$azlogs = @()
# Get all Azure resources deployed in each Subscription
$azResources = Get-AZResource
# Get all Azure resources which have Diagnostic settings enabled and configured
foreach ($azResource in $azResources) {
$resourceId = $azResource.ResourceId
$azDiagSettings = Get-AzDiagnosticSetting -ResourceId $resourceId `
-WarningAction SilentlyContinue -ErrorAction SilentlyContinue | Where-Object { $_.Id -ne $NULL }
# Look for Azure resources that do not have Diagnostic Settings enabled and configured
If (!$azDiagSettings) {
[string]$resourceType = $azResource.ResourceType.Split('/')[-1]
$azlogs += @($("Azure Resource Name: " + $azResource.Name), ("Diagnostic Setting: " + "Not Configured"), `
$("Resource Group Name: " + $azResource.ResourceGroupName), ("Resource Type: " + $resourceType),
$("Resource Location: " + $azResource.Location))
$azlogs += @(" ")
}
}
# Save Diagnostic settings report for each Azure Subscription
$azSubName = $azSub.Name
$azlogs > .\$azSubName.txt
}The Diagnostic settings configuration report will be saved in the current working path following the Azure Subscription name in TXT format.
In my example, the output looks like this.
That’s it there you have it!
Summary
In this article, we showed you how to find the diagnostic settings configuration for all Azure resources in your subscription with Azure PowerShell.
To learn more about diagnostic settings, please check the official documentation from Microsoft here.
To learn more about the Azure resource logs, please check the official documentation from Microsoft here.
To learn more about the Azure Activity log, please check the official documentation from Microsoft here.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
Is there a way to get a list of the Diag Settings for all Azure resources, or is it only possible to query one resource at a time?
Thx
Hello Jeff,
Thanks for your comment.
At the time of this writing, we cannot get the list of the Diag Settings for all Azure resources without querying one resource at time.
As described in this article, I am filtering first the resources which have Diag enabled (and not all Azure resources), and then I am querying each Azure resource to get their Diag Settings.
Hope this helps!
can I get script only true or false in VM through Get-AzVMDiagnosticsExtension
if Get-AzVMDiagnosticsExtension is present true or else false
Hello Rudraraju,
You can use the following command to get the status of the VM Diagnostics Extension.
Hope this helps!
-Charbel
Hi Charbel,
Did Microsoft break this? I am getting no output and receiving this error when running the script:
“WARNING: 4:06:16 PM – The namespace for all the model classes will change from Microsoft.Azure.Management.Monitor.Management.Models to Microsoft.Azure.Management.Monitor.Models in future releases.
WARNING: 4:06:16 PM – The namespace for output classes will be uniform for all classes in future releases to make it independent of modifications in the model classes.”
It seems the “Get-AzDiagnosticSetting” command might be broken. Please let me know if you see similar results. Thank you!
Hello Frank, thanks for the comment!
Please note that this is not an error message. As per the warning messages, these would be automatically removed when they are addressed in the future releases of Az.Monitor Azure PowerShell module.
I am currently using the latest Az.Monitor version 3.0.0 of the module and Az version 7.2.0.
I’ve just tried it from my side and it’s working as expected.
Hope it helps!
Hi Charbel,
Using your script, I receive the following error msg below. I am using Az.Monitor ver. 3.0.0 & Az version 7.2.0:
Get-AzDiagnosticSetting : Exception type: ErrorResponseException, Message: Microsoft.Azure.Management.Monitor.Models.ErrorResponseException: Operation returned an
invalid status code ‘BadRequest’ at Microsoft.Azure.Management.Monitor.DiagnosticSettingsOperations.d__8.MoveNext().
Hello Ryan, thanks for the feedback!
Could you please update the Az PowerShell module to version 8.0.0 and try again?
I have updated the script.
Hi Charbel, This is great. I would like to see what are resources not having Diagnostic Settings applied.
You are filtering only those having DiagnosticSettings:
$azDiagSettings = Get-AzDiagnosticSetting -ResourceId $resourceId `
-WarningAction SilentlyContinue -ErrorAction SilentlyContinue | Where-Object {$_.Id -ne $NULL}
Is there any way to list which are not enabled?
Hello Sripada, thanks for your comment!
Yes, this would be possible to export the list of resources that do NOT have Diagnostic Settings enabled and configured.
Please check the following section and let me know if it works for you.
Hope it helps!