How to configure Azure Bastion host to send logs and metrics to Log Analytics workspace
Hi, In a previous post, I showed you how to configure Azure Bastion diagnostic parameters to send logs and metrics to a storage account. But suppose you already have a log analysis workspace. In that case, you may find it interesting to configure Azure bastion to use your workspace and thus centralize the logs and metrics of your resources. This post will show you how to configure Azure Bastion diagnostic parameters to send logs and metrics to a Log Analytics workspace using PowerShell and the Azure CLI.
Prerequisites
- This tutorial assumes that you already have a Log Analytics Workspace. You can use an existing Workspace, or if you want to create a new one, check out this link.
- This tutorial assumes that you already have an Azure Bastion host. You can use an existing Bastion host, or if you want to create a new one, check out this link.
Important: The Log Analytics workspace must be in the same region as your Azure Bastion resource.
In the following examples, I will set the retention policy to 365 days. If you do not want to apply any retention policy and retain data forever, set retention (days) to 0.
Azure PowerShell Workaround
The simplest way to get started is to sign in interactively at the command line.
Connect-AzAccount
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
Get-AzSubscription Select-AzSubscription -Subscription "My Subscription"
Once you set your default subscription, you’re ready to start.
Set the variables
Here, we define the characteristics of our environment and the resource’s properties.
$resourceGroupName="RG-DEMO-HUB" $bastionName="AzBastion" $logAnalyticsName="LAW-DEMO-HUB"
To improve the visualization of the following commands, I will store the resources into variables.
$bastion= Get-AzBastion -ResourceGroupName $ResourceGroupName -Name $bastionName
$logAnalytics = Get-AzOperationalInsightsWorkspace -Name $logAnalyticsName `
-ResourceGroupName $resourceGroupName
Sets the logs and metrics settings for the Azure Bastion
To store the event log for the resource, you must use the Set-AzDiagnosticSetting cmdlet with the following syntax. At the time of writing this article, only records are available for the category: BastionAuditLogs.
Set-AzDiagnosticSetting -ResourceId $bastion.Id `
-WorkspaceId $logAnalytics.ResourceId `
-Enabled $true `
-Category BastionAuditLogs `
-RetentionEnabled $true `
-RetentionInDays 365
If you also want to store the metric record for the resource, you must use the Set-AzDiagnosticSetting cmdlet with the following syntax.
Set-AzDiagnosticSetting -ResourceId $bastion.Id `
-WorkspaceId $logAnalytics.ResourceId `
-Enabled $true `
-MetricCategory AllMetrics `
-RetentionEnabled $true `
-RetentionInDays 365
Verify the changes made
To verify the established diagnostic settings, you should use the Get-AzDiagnosticSetting cmdlet with the following syntax.
Get-AzDiagnosticSetting -ResourceId $bastion.Id | Select-Object WorkspaceId, Logs, Metrics |Format-List
Remove diagnostic settings
If you want to remove the diagnostic setting for the Azure Bastion resource, you should use the Remove-AzDiagnosticSetting cmdlet with the following syntax.
Remove-AzDiagnosticSetting -ResourceId $bastion.Id
Azure CLI Workaround
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.
First, we define the characteristics of our environment and store the values in variables.
resourceGroupName="RG-DEMO-HUB" bastionName="AzBastion" logAnalyticsName="LAW-DEMO-HUB"
To improve the visualization of the following commands, I will store the resources into variables.
logAnalyticsid=$(az monitor log-analytics workspace show -n $logAnalyticsName -g $resourceGroupName --query id --output tsv) bastionid=$(az network bastion show --name $bastionName --resource-group $resourceGroupName --query id --output tsv)
Sets the logs and metrics settings for the Azure Bastion
To store the event logs and metrics for the resource, you should use the following command.
az monitor diagnostic-settings create --workspace $logAnalyticsid --resource $bastionid --name "Bastion Diagnostic" \
--logs '[{"category":"BastionAuditLogs","enabled":true,"retentionPolicy":{"days":"365","enabled":true}}]' \
--metrics '[{"category": "AllMetrics","enabled": true,"retentionPolicy":{"days":"365","enabled":true}}]'
Verify the changes made
To verify the established diagnostic settings, you should use the following command.
az monitor diagnostic-settings show --name "Bastion Diagnostic" --resource $bastionid -o yaml
Remove diagnostic settings
If you want to remove the diagnostic setting for the Azure Bastion resource, you should use the following commands.
az monitor diagnostic-settings delete --name "Bastion Diagnostic" --resource $bastionid
Thanks for reading my post. I hope you find it helpful.
If you want to know more about Azure Bastion, check out this link.
Was this article useful? Support my work!
The post How to configure Azure Bastion host to send logs and metrics to Log Analytics workspace appeared first on Jorge Bernhardt.
windows
via Jorge Bernhardt https://ift.tt/3fcuASf
August 8, 2021 at 09:50AM
Jorge Bernhardt
Stack IT News 