Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple log analytics workspace destinations in the Deploy-* policies #1600

Closed
craigthackerx opened this issue Mar 7, 2024 · 5 comments
Closed

Support multiple log analytics workspace destinations in the Deploy-* policies #1600

craigthackerx opened this issue Mar 7, 2024 · 5 comments
Assignees
@Springstone
Labels
Area: Policy 📝 Issues / PR's related to Policy
Milestone
policy-refresh-fy...

Comments

@craigthackerx
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

I want to be able to stream all AzureDiagnostic and all AzActivity table logs to a different log analytics workspace. As it stands, the policy defintions accept a string for destination workspace, so when diagnostic settings are deployed, it deploys a single setting to the workspace created in the other parts of the deployment.

Describe the solution you'd like

It would be helpful if instead of a string for workspace ID, a list of string is accepted where the ID of each log analytics workspace can be propagated into the template file. It would be helpful if a user provided parameter could check for this also.

Additional context

It may also be helpful to add a feature to allow deployment of storage or eventhub diagnostic settings.
@SteveBurkettNZ
Copy link
Contributor

We also come across this, where we want to fire telemetry data to an operational Log Analytics workspace and audit/security logs to a security Log Analytics workspace (for ingestion into Microsoft Sentinel). Too expensive otherwise.

@matt-FFFFFF
Copy link
Member

Hi - this is a change to the policy definitions, which are not maintained in this repo.

moving upstream

@matt-FFFFFF matt-FFFFFF transferred this issue from Azure/terraform-azurerm-caf-enterprise-scale Mar 13, 2024
@matt-FFFFFF matt-FFFFFF added the Area: Policy 📝 Issues / PR's related to Policy label Mar 13, 2024
@matt-FFFFFF
Copy link
Member

Adding @Springstone and /cc @jtracey93

@craigthackerx
Copy link
Author

Hey folks, any further forward on this?

@Springstone
Copy link
Member

@craigthackerx Sorry we haven't been super responsive, we're busy transitioning Diagnostic Settings away from ALZ. In the next policy refresh (part of which is PR #1641), we're deprecating all our custom policies and assigning by default all logging to a centrally defined workspace.
For your requirements, there are additional initiatives (published on 15 May 2024) that will allow you to target other destinations (including storage, Event Hub, Log Analytics), and the nature of categories you want to capture logs for (All Logs or Audit logs only). You can create an additional assignment targeting the destination you want for the log category you want (just make sure you change the "diagnosticSettingName" for each assignment!

@Springstone Springstone added this to the policy-refresh-fy24-h2 milestone May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Springstone Springstone

Labels
Area: Policy 📝 Issues / PR's related to Policy
Projects
None yet
Milestone
policy-refresh-fy24-h2
Development

No branches or pull requests
4 participants
@Springstone @matt-FFFFFF @SteveBurkettNZ @craigthackerx