Jan 16 2019
04:20 AM
- last edited on
Apr 07 2022
05:35 PM
by
TechCommunityAP
Jan 16 2019
04:20 AM
- last edited on
Apr 07 2022
05:35 PM
by
TechCommunityAP
Hey all,
I want to be able to monitor all storage accounts key rotations using Log Analytics, not sure how to do this as it seems I am not able to get a list of all storage account using query? i can somewhat do this in PS using following script, but how can i get this information in Log analytics?
Code
$storageAccounts = Get-AzureRmStorageAccount
$timeStamp = Get-Date (Get-Date).AddDays(-2) -format FileDateTime
foreach($storageAccount in $storageAccounts){
$regenerateKeyEvents = Get-AzureRmLog -ResourceGroupName $storageAccount.ResourceGroupName `
| Where{$_.OperationName.Value -eq "Microsoft.Storage/storageAccounts/regenerateKey/action"} `
| Select-Object EventTimestamp
foreach($regenerateKeyEvent in $regenerateKeyEvents){
if($timeStamp -gt ($regenerateKeyEvent.EventTimestamp | Get-Date -Format FileDateTime)){
Write-Host "Keys to old"
}
}
}
Jan 16 2019 11:11 PM
SolutionHi,
Azure Activity Logs can be send to Log Analytics. More info here:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs
After they are send there you can create Log Analytics query that you can use to alert on the Azure Activity Logs. Basically doing the same thing you are doing with
Get-AzureRmLog -ResourceGroupName $storageAccount.ResourceGroupName ` | Where{$_.OperationName.Value -eq "Microsoft.Storage/storageAccounts/regenerateKey/action"} ` | Select-Object EventTimestamp
but with Kusto query language that Log Analytics uses.
Jan 17 2019 06:32 AM
How would
Get-AzureRmLog -ResourceGroupName $storageAccount.ResourceGroupName ` | Where{$_.OperationName.Value -eq "Microsoft.Storage/storageAccounts/regenerateKey/action"} ` | Select-Object EventTimestamp
look like in Kusto query
Jan 17 2019 07:17 AM
Example would be
AzureActivity
| extend Action = parse_json(Authorization)
| where Action.action == "Microsoft.Storage/storageAccounts/regenerateKey/action" and ResourceGroup =~ "something" and ActivityStatus != "Failed"
| project EventSubmissionTimestamp
I will suggest however to look at Kusto language documentation and Azure Log Analytics alerts documentation to transform the example to a query that would be suitable for the alert that you want to ahcieve.
Jan 17 2019 08:04 AM
Jan 16 2019 11:11 PM
SolutionHi,
Azure Activity Logs can be send to Log Analytics. More info here:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs
After they are send there you can create Log Analytics query that you can use to alert on the Azure Activity Logs. Basically doing the same thing you are doing with
Get-AzureRmLog -ResourceGroupName $storageAccount.ResourceGroupName ` | Where{$_.OperationName.Value -eq "Microsoft.Storage/storageAccounts/regenerateKey/action"} ` | Select-Object EventTimestamp
but with Kusto query language that Log Analytics uses.