Logging Architecture — the good, the bad and the automated

Developing logging architecture can be complex and there can be a lot of considerations that need to be taken into account. These may or may not be immediately apparent but will come to fruition most likely after implementation.

When it comes to managing a large number of resources, policies can be a blessing but what if you apply some settings which were not quite right or you want to undo? Unfortunately, there is no undo button.

Without the possibility to undo our actions this means that it then becomes a tedious task to go through each resource one by one and remove the diagnostics setting(s).

This tool aims to be the solution to this exact problem.

Github Link — https://github.com/luketylerwilliams/AzQuickLog

The Tool

So how does it work?

The tool can take multiple different options:

  • Scope — This should be one of the following (case insensitive); [1] Management group, [2] Subscription, [3] Resource Group — For ease of use either the value or relative number can be specified. If resource group is chosen then the parent subscription id must be provided — Parameter is -Scope
  • Scope Id — Specify the Id of the scope object. For example we have a management group named “lukeroot”, the parameter should be as follows: -ScopeId “lukeroot” — Parameter is -ScopeId
  • Diagnostic Setting Name (optional) — If this is not specified then it will effect all — Parameter is -DSName
  • Target (optional) — Resource Type — Only provide the name of the resource type, e.g. for a Storage Account the resource type is “Microsoft.Storage/storageAccounts”, provide “storageAccounts” — Parameter is -Target

Sub-menu options:

Usage

Capture of main menu

Usage Example

After inputting the following parameters per the above example architecture:

  • Scope: 1 = Management group
  • ScopeId: Global
  • DSName: logging-diag-setting

The script will perform various different functions before prompting you with a sub-menu allowing you to choose what action you wish to take.

Output after specifying above values

Sub-menu outputs

Output of option 1 using the example architecture

Output of option 2 with no matches:

Output of option 2 using example architecture

Example of option 2 with matches:

Diagnostic setting ‘logging-diag-setting’ added to storage account ‘luketesttesttest’
Example of script output of option 2, showing match

Example of option 3 with matches:

Example output of option 3 with matches
Example of audit log file for the above removal

Updates

v1.1 Release

  • Added WhatIf functionality to provide an overview of actions which would take place
Added option 4 for WhatIf

Further improvement ideas

  • For the target parameter potentially make it possible to select on Resource Name Prefix/Suffix
  • Further optimizations — enhance the capability of the capturing the resources per subscription by saving each in a hash function with key/value pairs. Then for the remove function match enumerate through subscriptions keys for removal at management group scope
  • Add functionality to remove all diagnostic settings from specified resources within specified scope
  • Troubleshoot the below edge-case when running remediation against a resource which has been remediated and the diagnostic setting name is the same
# Error handling for error<# Remove-AzDiagnosticSetting : Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status code:Conflict, Reason phrase: ConflictAt C:\Users\Admin\Downloads\azquicklog.ps1:365 char:27+ … emoveDiag = Remove-AzDiagnosticSetting -ResourceId $azDiagid -Name $a …+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : CloseError: (:) [Remove-AzDiagnosticSetting], PSInvalidOperationException+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.Diagnostics.RemoveAzureRmDiagnosticSettingCommand #>

Wrapping up

Thanks for reading!

Credits

A collection of azure articles and ramblings // Cloud Security Consultant @ Integrity360 // Comments and thoughts are my own

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store