How to export Azure Alert Rules (Log Analytics)

Copper Contributor

Hi,

 

I am trying to export all rules (Enabled/Disabled) from Azure Portal using Get-AzureRMALertRule cmdlet, however, it is returning blank output.

I have more than 10 Rules configured. Some are enabled and some are disabled.

FYR:Please find attached of screenshot of PowerShell.

 

Somewhere, i read that this cmdlet pulls the data for App-Insight rules only. is this true?

Appreciate, if someone could help me to understand the issue and export the requested data.

 

Regards, Ravi

 

11 Replies

Hi

Currently different alerts have different APIs so there isn't single cmdlet to get all alerts. If you are lookin for Log Analytics alerts their API is shown here:

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-api-alerts

Currently there is no cmdlet for those alerts so you have to use tools like armclient or create your own API calls to get them. You can also try to use one of these scripts:

https://blogs.technet.microsoft.com/manuelpuron/2017/07/14/export-all-alerts-created-in-a-oms-worksp...

http://overcast.azurewebsites.net/2016/06/exporting-oms-log-analytics-alerts-and-importing-into-anot...

I haven't tested them so I do not know if they still works.

Hi Stanislav,

 

Appreciate for your response !!!

 

FYI: I already read this article and analyzed the attached scripts.

 

Script is giving some error (that could be taken care) but the script is fetching "Saved Searches" while i am interested to collect "configuration details of Alert Rules" from Log Analytic section.

 

Let me know if you have any other pointer for the same.

 

Regards, Ravi

Hi Ravi,
Log Analytics alerts are not a single resource. Log Analytics alerts are compromised from 3 resources nested within each other. At top is a saved search, beneath saved search is a schedule and beneath schedule is an action. All these 3 resources make an alert. Saved search contains the query that is used for the alert. Schedule contains the time window and frequency for the alert. Action contains the threshold and what action should be taken. So definitely those resources you mead to export Log Analytics alerts.

Hi Stanislav,

 

Apologies if i misunderstood your information as i am not Expert in  OMS but.....

 

I do have some Alerts (in log analytics) configured for which we do not have any "saved search".

 

As far as i know, earlier, it was like.....create a search -> save it -> create a rule and use that saved search.

But now..... i do not need to save search......i could directly create a Rule.

 

Please let me know if I am missing anything or if my understanding is incorrect.

 

FYI: I tried collecting the details of all saved searches using below command and it worked as expected.

(Get-AzureRmOperationalInsightsSavedSearch -ResourceGroupName "<Resource_Group_Name>" -WorkspaceName "<Workspace_Name>").Value.Properties | where category -eq "Alert"  

 

Regards, Ravi

The UI creates saved search on its own. If I am not mistaken alerts created from Azure portal are saved under Ibiza Alerts category. The API itself hasn't changed only the UI. Here is the doc on the api:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-api-alerts
Via AzureRM cmdlets you can get only saved searches resources but not schedules and actions that is why these people are using scripts that query directly the Log Analytics api. As I've said you will need to get the all the resources to construct the full properties of an alerts. Remember my note that these resources are nested within each other. I am currently away from my computer so I do not have access to my env.

Hi Stanislav,

 

I read the link you have shared but that is again on around "Saved Search".

 

As mentioned earlier, i have some Alert Rules Configured but there is no "Saved Search" for them. So, i cannot go via this route.

 

I logged a case with MS Support. they said that it is not necessary that every Alert rule will have a "Saved Search". MS support is still checking their resource on how to collect Rules details using PowerShell/REST API.

 

do let me know if you have any other pointer for the same.

 

regards, Ravi

Hi Ravi,

All the Log Analytics Search based alerts have search query (saved search) under which they run. If you do not have such I see 3 possible reasons:

 

- Either there is some completely new API for Log Analytics search based alerts that I am not aware. I really doubt that this is the possibility but you never know.

- You are not actually creating Log Analytics search based alerts. May be some of the other types of alerts that have different APIs.

- You are not able to find the saved searches for some reason.

 

I can say also that MS support could be wrong if they haven't understood well the request or if they are taking general stuff. Yes the statement:  it is not necessary that every Alert rule will have a "Saved Search" is true because there are multiple alert types and every alert type has different API.

 

To see that I am not making this up below you can see the first call to the API that the Azure Portal does when it is creating Log Analytics Search based alert. As you can see the first call is to create saved search. The other two calls (not in the screenshots) are schedule inside the saved search resource and action inside the schedule resource.

ss.PNG

 

Hi Ravi,

 

I think Stanislav is pointing you in the right direction. I have used the given script to querying the Alerts API for Log Analytics. But no luck!

 

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-api-alerts

 

I can give you a little explanation on the API but you will have to write your own script or if you are good in scripting. Otherwise wait like me to someone write this kinda script. :)

Basically in the example from the docs they use a tool (exe program) that queries the Azure Resource Manager API to get the information. You can use your armclient tool or create your own script with web requests to the API. I would suggest the first if you do not have much experience with querying REST APIs. About the Alerts API for Log Analytics. Basically you have 3 resources that needs to be created so you can have an alert:

- Saved search

- Schedule

- Action

Saved Search is the top resource. You will have to create Saved Search in order to create Schedule and Action. Schedule is sub resource for Saved Search and Action is sub resource of Schedule. So you also have to create Schedule in order to create action. The definition of those 3 resources makes an alert and the definition of those 3 you want to export so you can have the full definition of alert. Keep in mind that not every saved search has schedule and action so only saved searches that are used for alerts will have the other 2 resources. Looking at the API you will first have to get all saved searches. That way you will get the query and the name of the query. For each saved search you have to check if there is Schedule resource. If there is schedule resource you get the schedule resource for each query that has it. That way for each query you will get the schedule information which will give you the frequency and the time frame of the alert. For each saved search with schedule you will have to check also if there is action. You will get the action for those that have it. That way you will get the information of the threshold, severity, action group and name of the alert. The information for saved search, schedule and action for each one that has those is the definition for each alert.

I usually create my alerts via ARM template rather UI. That way I can always deploy the same alerts on different workspaces without needing to export them.

Here is example of creating alert with arm template I've found:

 

https://docs.microsoft.com/en-us/azure/monitoring/monitoring-solutions-resources-searches-alerts

Hey Gourav,

I would appreciate if you do not copy my replies from other forums and present them as your own words here. Here is the proof that these are my words:

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/4c93a4f1-51b4-4078-8a81-33570f4bac8a/how-to...

 

This is not ethical at all. Instead you can just provide link to the thread.

@Ravi Gupta 

 

This is how i dumped my Rules.

 

$subid='mysubid'
$rsgname = 'myrsgname'
$wksname = 'myworkspacename'

 

armclient get /subscriptions/$subid/resourcegroups/$rsgname/providers/microsoft.insights/scheduledQueryRules/?api-version=2018-04-16

I'm Azure there is Home- security center-settings, you will get all rules and filter export to csv