SOLVED

Policy sets resource to non-compliand but no Events are created

%3CLINGO-SUB%20id%3D%22lingo-sub-1733286%22%20slang%3D%22en-US%22%3EPolicy%20sets%20resource%20to%20non-compliand%20but%20no%20Events%20are%20created%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1733286%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20get%20a%20grip%20on%20creating%20policies%20and%20initiatives.%20Have%20made%20a%20simple%20initiative%20with%20one%20policy%20that%20checks%20for%20log%20analytics%20agent%20installation%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20Log%20Analytics%20agent%20should%20be%20installed%20on%20virtual%20machines%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIt%20finds%203%20test%20server%20that%20I've%20left%20without%20log%20analytics%20agent%20and%20marks%20them%20as%20non-compliant.%20Of%20course%20I%20want%20to%20monitor%20this%20so%20I%20started%20looking%20in%20the%20logs%20for%20this.%3C%2FP%3E%3CP%3ECan't%20find%20it%20anyware.%20And%20the%20events%20tab%20under%20Policy%20is%20empty%20as%20well.%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EHave%20I%20missed%20something%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1740433%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20sets%20resource%20to%20non-compliand%20but%20no%20Events%20are%20created%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1740433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F577472%22%20target%3D%22_blank%22%3E%40PatrikHansson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20looked%20at%20Azure%20Monitor%20%26gt%3B%20Activity%20Log%20and%20filtered%20for%20Event%20Category%20%3D%20Policy%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22hspinto_0-1601665789887.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223724i2DEDDD81A9394662%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22hspinto_0-1601665789887.png%22%20alt%3D%22hspinto_0-1601665789887.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi

 

Trying to get a grip on creating policies and initiatives. Have made a simple initiative with one policy that checks for log analytics agent installation:

The Log Analytics agent should be installed on virtual machines"

It finds 3 test server that I've left without log analytics agent and marks them as non-compliant. Of course I want to monitor this so I started looking in the logs for this.

Can't find it anyware. And the events tab under Policy is empty as well. 

 
 

Have I missed something ? 

2 Replies

@PatrikHansson 

 

Have you looked at Azure Monitor > Activity Log and filtered for Event Category = Policy?

 

hspinto_0-1601665789887.png

 

best response confirmed by hspinto (Microsoft)
Solution

@hspinto 

Hi

Yes, there is nothing in event log.

But I got this response from support:

As updated from the Product group, any effect related log that is related to compliance evaluation is no longer written to activity log. If it's a policy denying an operation for a PUT/PATCH request on resource, those are still logged.

 

As confirmed also by PG, we are working towards integrating with Event Grid to create policies state events for resources that become non-compliant. This will allow you to be aware a state change has occurred and trigger actions such as kick off a remediation task. This feature is set to be completed late this calendar year.

 

So I guess it is correct that there aren't anything in the activity log for me.