In this article, I will share with you how to remove the diagnostic settings configuration for an Azure resource in your Azure Subscription with PowerShell.

Introduction

Platform logs in Azure provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained. Current destinations include Log Analytics workspace, Event Hubs, and Azure Storage.

The platform logs include Azure resources (resource logs), Azure Subscription (Activity logs), and Azure Tenant (Azure Active Directory logs). And each Azure resource requires its own diagnostic setting, which defines the following criteria:

• Categories of logs and metric data sent to the destinations defined in the setting. The available categories will vary for different resource types.
• You can send the logs to one or more of the 3 destinations below depending on your monitoring requirements.
  • Storage account
  • Event Hub
  • Log Analytics workspace

Please note that a single diagnostic setting can define only one of each of the destinations. If you want to send the logs to more than one of a particular destination type (for example, two different storage accounts), then you need to create multiple diagnostic settings. At the time of this writing, each resource can have up to 5 diagnostic settings.

I have recently come across a challenging scenario where I want to remove the diagnostic settings for a particular Azure resource type which is deployed in multiple Azure subscriptions. And some resources have more than one diagnostic settings configured as well. As you know, using the Azure Portal is not efficient to remove the diagnostic settings for multiple resources.

After some digging, I’ve found that I can remove the diagnostics settings configuration with Azure PowerShell.

In this article, I will share with you the PowerShell script that helped me to remove the diagnostics settings configuration for a particular Azure resource type deployed in multiple subscriptions.

Remove Diagnostic Settings Configuration

Assuming you have the right permissions and the latest AZ and AZ Monitor PowerShell module installed, log in with Connect-AzAccount if NOT using Cloud Shell and run the following script (you need to specify the Resource Type as a required parameter i.e. virtualnetworks ).

<#
.Synopsis
A script used to remove the Diagnostic Settings for a particular Azure Resource

.DESCRIPTION
A script used to remove the Diagnostic Settings for a particular Azure Resource,
As part of the removal process, the report will log the following information:
    - Diagnostic Settings Name
    - Azure Resource Name
    - Removal Status
    - Storage account Name
    - Log Analytics Workspace
    - Event Hub Namespace

.Notes
Created   : 2020-11-30
Version   : 1.0
Author    : Charbel Nemnom
Twitter   : @CharbelNemnom
Blog      : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

#! Login with Connect-AzAccount if NOT using Cloud Shell
Connect-AzAccount

#! Enter Azure Resource Type
Do { $resourceType = Read-Host "`nEnter the Azure Resource Type as the following example: applicationgateways " } `
while (!$resourceType)

#! Get all Azure Subscriptions
$azSubs = Get-AzSubscription

#! Loop through all Azure Subscriptions
foreach ($azSub in $azSubs) {
    Set-AzContext $azSub.id | Out-Null

    #! Set array
    $azlogs = @()

    #! Get all Azure resources deployed in each Subscription for a particular Resource Type
    $azResources = Get-AZResource | Where-Object {$_.ResourceType.split('/')[-1] -eq "$resourceType"}

    #! Get all Azure resources which have Diagnostic settings enabled for a particular resource Type
    foreach ($azResource in $azResources) {
        $resourceId     = $azResource.ResourceId
        $azDiagSettings = Get-AzDiagnosticSetting -ResourceId $resourceId | Where-Object {$_.Id -ne $NULL}
        foreach ($azDiag in $azDiagSettings) {
            If ($azDiag.StorageAccountId) {
                [string]$storage = $azDiag.StorageAccountId
                [string]$storageAccount = $storage.Split('/')[-1]
            }
            If ($azDiag.WorkspaceId) {
                [string]$workspace = $azDiag.WorkspaceId
                [string]$logAnalytics = $workspace.Split('/')[-1]
            }
            If ($azDiag.EventHubAuthorizationRuleId) {
                [string]$eHub = $azDiag.EventHubAuthorizationRuleId
                [string]$eventHub = $eHub.Split('/')[-3]
            }
            #! Remove diagnostic settings for the particular resource
            [string]$azDiagid = $azdiag.id -replace "(?=/providers/microsoft.insights).*"
            $removeDiag = Remove-AzDiagnosticSetting -ResourceId $azDiagid -Name $azDiag.Name
             if (!$removeDiag) {
                $removeDiag = New-Object pscustomobject
                $removeDiag | Add-Member -NotePropertyName StatusCode -NotePropertyValue "ErrorResponseException"
            }
            #! Create log
            $azlogs +=  @($("Diagnostic setting name: " + $azDiag.Name), ("Azure Resource name: " + $azResource.Name), `
                         ("Removal Status: " + $removeDiag.StatusCode), ("Storage Account Name: " + $storageAccount), `
                         ("Log Analytics workspace: " + $logAnalytics), ("Event Hub Namespace: " + $eventHub) )
            $azlogs += @(" ")
        }
    }
        #! Save remove Diagnostic settings report for each Azure Subscription
        $azSubName = $azSub.Name
        $azlogs > .\$azSubName.txt
}

From the example above, I am pulling the following information for my record as a part of the removal process:

• Diagnostic Settings Name
• Azure Resource Name
• Removal Status
• Storage account Name
• Log Analytics Workspace
• Event Hub Namespace

The Diagnostic settings removal report will be saved in the current working path following the Azure Subscription name.

In my example, the output looks like this:

That’s it there you have it!

I am planning to improve this tool in the future. If you have any feedback or changes that everyone should receive, please feel free to share your thoughts in the comment section below.

Summary

In this article, I showed you how to find the diagnostic settings configuration for all Azure resources in your subscription with Azure PowerShell.

Additional resources I highly encourage you to check:

• Learn more on how to find diagnostic settings configuration for Azure Resources with PowerShell.
• Learn more on how to get the list of non-compliant Azure Resources with PowerShell.
• Learn more about diagnostic settings, please check the official documentation from Microsoft here.
• Learn more about the Azure resource logs, please check the official documentation from Microsoft here.
• Learn more about the Azure Activity log, please check the official documentation from Microsoft here.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts