In this article, I will share with you how to find the diagnostic settings configuration for all Azure resources in your Azure Subscription with PowerShell.

In This Article

Introduction

Platform logs in Azure provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained. Current destinations include Log Analytics workspace, Event Hubs, and Azure Storage.

The platform logs include Azure resources (resource logs), Azure Subscription (Activity logs), and Azure Tenant (Azure Active Directory logs). And each Azure resource requires its own diagnostic setting, which defines the following criteria:

Categories of logs and metric data sent to the destinations defined in the setting. The available categories will vary for different resource types.
You can send the logs to one or more of the 3 destinations below depending on your monitoring requirements.
- Storage account
- Event Hub
- Log Analytics workspace

Please note that a single diagnostic setting can define only one of each of the destinations. If you want to send the logs to more than one of a particular destination type (for example, two different storage accounts), then you need to create multiple diagnostic settings. At the time of this writing, each resource can have up to 5 diagnostic settings.

I have recently come across a challenging scenario where I want to find the diagnostic settings configuration for all my Azure resources which reside in multiple Azure subscriptions. And some Azure resources have more than one diagnostic settings configured as well.

After some digging, I’ve found that I can pull the diagnostics settings configuration for each Azure resource with PowerShell.

In this article, I will share with you the PowerShell script that helped me to pull out all the diagnostics settings configuration for all my Azure resources.

Get Azure Diagnostic Settings Configuration

Assuming you have the right permissions and the latest AZ and AZ Monitor PowerShell module installed, log in with Connect-AzAccount if NOT using Cloud Shell and run the following script:

<#
.Synopsis
A script used to export diagnostics settings configuration for all Azure resources.

.DESCRIPTION
A script used to find and export diagnostics settings configuration for Azure resources in all Azure Subscriptions.
Finally, it will save the report as text file for each Azure Subscription.

.Notes
Created   : 2020-11-16
Version   : 1.0
Author    : Charbel Nemnom
Twitter   : @CharbelNemnom
Blog      : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

# Login with Connect-AzAccount if not using Cloud Shell
Connect-AzAccount

# Get all Azure Subscriptions
$azSubs = Get-AzSubscription

# Loop through all Azure Subscriptions
foreach ($azSub in $azSubs) {
    Set-AzContext $azSub.id | Out-Null

# Set array
$azlogs = @()

    # Get all Azure resources deployed in each Subscription
    $azResources = Get-AZResource

    # Get all Azure resources which have Diagnostic settings enabled and configured
    foreach ($azResource in $azResources) {
        $resourceId     = $azResource.ResourceId
        $azDiagSettings = Get-AzDiagnosticSetting -ResourceId $resourceId | Where-Object {$_.Id -ne $NULL}
        foreach ($azDiag in $azDiagSettings) {
            If ($azDiag.StorageAccountId) {
                [string]$storage = $azDiag.StorageAccountId
                [string]$storageAccount = $storage.Split('/')[-1]
            }
            If ($azDiag.WorkspaceId) {
                [string]$workspace = $azDiag.WorkspaceId
                [string]$logAnalytics = $workspace.Split('/')[-1]
            }
            If ($azDiag.EventHubAuthorizationRuleId) {
                [string]$eHub = $azDiag.EventHubAuthorizationRuleId
                [string]$eventHub = $eHub.Split('/')[-3]
            }
            [string]$resource     = $azDiag.id
            [string]$resourceName = $resource.Split('/')[-5]
            $azlogs +=  @($("Diagnostic setting name: " + $azDiag.Name), ("Azure Resource name: " + $resourceName), `
                        ("Logs: " + $azDiag.Logs), ("Metrics: " + $azDiag.Metrics), `
                        ("Storage Account Name: " + $storageAccount), ("Log Analytics workspace: " + $logAnalytics), `
                        ("Event Hub Namespace: " + $eventHub))
            $azlogs += @(" ")
        }
    }
        # Save Diagnostic settings report for each Azure Subscription
        $azSubName = $azSub.Name
        $azlogs > .\$azSubName.txt
}

From the example above, I am pulling the following information:

Diagnostic Settings Name
Azure Resource Name
Logs
- Enabled (True or False)
- Category
- Retention Policy
Metrics
- Enabled (True or False)
- Category
- Retention Policy
Storage account Name
Log Analytics Workspace
Event Hub Namespace

The Diagnostic settings configuration report will be saved in the current working path following the Azure Subscription name.

In my example, the output looks like this.

That’s it there you have it!

Please note that this approach is not perfect in any way, but I think it serves its purpose. You could export all the records to a CSV file for easy reading instead of text file, and so on.

I am planning to improve this tool in the future. If you have any feedback or changes that everyone should receive, please feel free to share your thoughts in the comment section below.