panaexotic.blogg.se - Azure active log

Storage account & Event Hub integration settings are saved to the legacy log profile but can be configured through PowerShell.

Take into account that configuration is made to Log Analytics, not in the Azure subscription level like diagnostic settings configuration.

Log Analytics integration can be managed only through Log Analytics Data Source API.

New experience provides better functionality and consistency with resource logs. The latter one (diagnostic settings) is nowadays a preferred way to send Azure Activity log exports to necessary targets (Storage Account, Log Analytics, Event Hub). This API still works and you are able to use it to manage log exports on some parts but it doesn’t have as granular controls as Azure diagnostic settings. Behind the scenes there was (and still is) Log Analytics ‘Data Sources’ API. In those days, you needed to configure the Azure Activity log feed through the legacy log profile. In the early days of Azure Log Analytics, the Azure diagnostic setting was supported by only a fraction of the resources. I’ve seen this issue recently in a few large (+100 subscription environments). The purpose of this blog post is to show how to find out if a legacy log profile is used in your environment and how to address the issue if it is.

Activity Log export was made directly on Log Analytics UI which used Log Analytics ‘Data Sources’ API.

The existing Log Analytics workspace has been used when the Sentinel instance has been deployed and the legacy log profile has been used to send logs to the Log Analytics workspace.

Log Analytics legacy log profiles haven’t been transitioned to Azure diagnostic settings.

Azure Activity Logs export configuration has been made on time where there weren’t any other options available.

There are a few scenarios, based on my experience, that might have led to using the legacy log profile in log ingestion:

In the early days of Microsoft Sentinel, the legacy profile was the only way to ingest Azure Activity Log from Azure subscription level to Azure Log Analytics.

According to Microsoft: “It’s a subscription log that provides insights into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in subscription, and the status of activities performed in Azure”. Azure Activity Log is one of the core log sources to ingest in the Microsoft ecosystem to SIEM (such as Microsoft Sentinel).