none
How to configure Azure Activity Log to flow into the Log Analytics Workspace via ARM template RRS feed

  • Question

  • Hello,

    I built an ARM template which should deploy the Log Analytics Workspace with Azure Activity Log integration enabled however whenever I try to deploy it I got the following error:

    failed with message '{
    "Code": "BadRequest",
    "Message": ""
    }'

    I tried doing it via Powershell AZ module and azure CLI (both with debug mode enabled) but could not get any tip where is the problem. Kindly ask you to take a look at the ARM below:

    {
        "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {
            "settingName": {
                "type": "string"
            },
            "t_lawname": {
                "type": "string"
            }
        },
        "variables": {
        },
        "resources": [
            {
                "type": "Microsoft.OperationalInsights/workspaces",
                "name": "[parameters('t_lawname')]",
                "apiVersion": "2015-11-01-preview",
                "location": "westeurope",
                "properties": {
                }
            },
            {
                "type": "Microsoft.Insights/diagnosticSettings",
                "apiVersion": "2017-05-01-preview",
                "name": "[parameters('settingName')]",
                "dependsOn": [
                    "[concat('Microsoft.OperationalInsights/workspaces/', parameters('t_lawname'))]"
                ],
                "location": "global",
                "properties": {
                    "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('t_lawname'))]",
                    "logs": [
                        {
                            "category": "Administrative",
                            "enabled": true
                        },
                        {
                            "category": "Security",
                            "enabled": true
                        },
                        {
                            "category": "ServiceHealth",
                            "enabled": true
                        },
                        {
                            "category": "Alert",
                            "enabled": true
                        },
                        {
                            "category": "Recommendation",
                            "enabled": true
                        },
                        {
                            "category": "Policy",
                            "enabled": true
                        },
                        {
                            "category": "Autoscale",
                            "enabled": true
                        },
                        {
                            "category": "ResourceHealth",
                            "enabled": true
                        }
                    ]
                }
            }
        ]
    }

    Any suggestions how to debug it?

    many thanks

    Bartek


    Thursday, January 9, 2020 10:09 AM

Answers

  • Hi,

    I have documented this here. One of the problems I see is that you are probably deploying this at resource group level. The diagnostic setting for forwarding activity logs from subscription to Log Analytics workspace is at subscription level. So you should remove the deployment of workspace and deploy the template at subscription level.

    Thursday, January 9, 2020 11:48 AM

All replies

  • Hi,

    I have documented this here. One of the problems I see is that you are probably deploying this at resource group level. The diagnostic setting for forwarding activity logs from subscription to Log Analytics workspace is at subscription level. So you should remove the deployment of workspace and deploy the template at subscription level.

    Thursday, January 9, 2020 11:48 AM
  • That was the case! It should be subscription level deployment not resource group. Thanks you! Yet the empty error message was quite confusing.

    On last question: what is the difference between the configuration above and option in Log Analytics Workspace under the DataSources to make the Activity Log Subscription 'connected'? Once I deployed the discussed ARM there is a diagnostic settings enabled on ActivityLog but it is still no connected in Log Analytic Workspace.

    thanks

    Bartek

    Thursday, January 9, 2020 3:50 PM
  • You can see the difference documented here:

    https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings-legacy

    Overall the way that you use diagnostic settings is the new and correct way to do it as it aligns with overall Azure Management. The previous (legacy) way was more of workaround.

    Thursday, January 9, 2020 4:21 PM