SOLVED

Azure Activity data collector with Azure Policy : data is not ingested

%3CLINGO-SUB%20id%3D%22lingo-sub-3009064%22%20slang%3D%22en-US%22%3EAzure%20Activity%20data%20collector%20with%20Azure%20Policy%20%3A%20data%20is%20not%20ingested%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3009064%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20fighting%20with%20the%20new%20Azure%20Activity%20data%20connector.%20I%20deploy%20the%20policy%20with%20the%20wizard%20the%20the%20connector%20page%2C%20scope%20it%20to%20my%20subscription%20but%20nothing%20happens.%20My%20Policy%20shows%20as%20Compliant%2C%20the%20Log%20Analytics%20workspace%20is%20in%20the%20scoped%20subscription%20but%20nothing%20happens.%20It's%20not%20the%20first%20time%20that%20I'm%20stuck%20with%20this%20problem%20and%20I%20think%20I've%20been%20applying%20MS'%20official%20documentation.%3C%2FP%3E%3CP%3EAny%20idea%20what%20I%20should%20check%20%3F%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3013941%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20data%20collector%20with%20Azure%20Policy%20%3A%20data%20is%20not%20ingested%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3013941%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F749001%22%20target%3D%22_blank%22%3E%40PhilippeAugras%3C%2FA%3E%26nbsp%3BHave%20you%20gone%20to%20the%20Activity%20log%20and%20checked%20the%20Diagnostics%20settings%20to%20verify%20that%20the%20settings%20were%20indeed%20pushed%20correctly%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3014116%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20data%20collector%20with%20Azure%20Policy%20%3A%20data%20is%20not%20ingested%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3014116%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%2C%20thank%20you%20for%20your%20answer.%20The%20diagnostic%20settings%20worked%20with%20the%20old%20version%20of%20the%20connector.%20The%20new%20one%20relies%20on%20an%20Azure%20Policy%20that%20i%20supposed%20to%20send%20the%20activity%20to%20Sentinel's%20log.%20Or%20do%20I%20also%20need%20to%20configure%20the%20diag%20settings%20for%20this%20new%20connector%20%3F%20It's%20not%20mentioned%20in%20MS's%20docs.%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3014445%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Activity%20data%20collector%20with%20Azure%20Policy%20%3A%20data%20is%20not%20ingested%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3014445%22%20slang%3D%22en-US%22%3EYou%20don't%20need%20to%20configure%20the%20diag%20settings%20if%20the%20policy%20is%20working%20correctly.%20My%20suggestion%20was%20just%20to%20check%20to%20make%20sure%20the%20policy%20did%20work%20correctly.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I have been fighting with the new Azure Activity data connector. I deploy the policy with the wizard the the connector page, scope it to my subscription but nothing happens. My Policy shows as Compliant, the Log Analytics workspace is in the scoped subscription but nothing happens. It's not the first time that I'm stuck with this problem and I think I've been applying MS' official documentation.

Any idea what I should check ?

Regards,

P.

6 Replies

@PhilippeAugras Have you gone to the Activity log and checked the Diagnostics settings to verify that the settings were indeed pushed correctly?

@Gary Bushey , thank you for your answer. The diagnostic settings worked with the old version of the connector. The new one relies on an Azure Policy that i supposed to send the activity to Sentinel's log. Or do I also need to configure the diag settings for this new connector ? It's not mentioned in MS's docs.

Regards,

 

P.

You don't need to configure the diag settings if the policy is working correctly. My suggestion was just to check to make sure the policy did work correctly.
Sorry for my misunderstanding. The policy show 100% Compliant, no errors. Problem - ? - is that the policy also tells me there's no ressource associated. I scoped it to the Subscription I want to monitor via Azure Activity connector - as per MS doc. But do I need to add my Sentinel Log Analytics workspace as a resource to this policy ?

@PhilippeAugras  I think that it makes sense that there is no ressources associated, because the policy is applied to the subscription only and not specific resources.
So if you go to the subscription for which you applied the policy, then choose "Activity Logs" and then choose "Diagnostic Settings" in the top of the window, you should be able to see the diagnostic settings from the subscription is being sent to sentinel. 

Larssen92_0-1638353851119.png


It seems like you expect all resources in the subscription to have their diagnostic settings updated (please correct me if im wrong).  Only the chosen subscription's diagnostic settings will be set.

Bonus: if you want to have multiple subscriptions set, you need to create a management group, and assign the policy to a group containing multiple subscriptions.

best response confirmed by PhilippeAugras (Occasional Contributor)
Solution
I finally found out what the problem was. I had forgotten to enable a remediation during the policy creation. ow it works.