search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.69k stars 964 forks source link

Deploy-Diagnostics-ACI deploys metric setting only, not logs #1523

Closed NucLabs closed 3 months ago

NucLabs commented 8 months ago

Describe the bug The policy Deploy Diagnostic Settings for Container Instances to Log Analytics workspace (Deploy-Diagnostics-ACI) configures only metrics to be sent to log analytics. Logs are not configured. We found this because the builtin policy Audit diagnostic setting for selected resource types (7f89b1eb-583c-429a-8828-af049802c1d9), which is part of the compliance policy set we have assigned, audits the resource as non-compliant

Steps to reproduce Assign both mentioned policies to a RG and create a container instance. After remediation Deploy Diagnostic Settings for Container Instances to Log Analytics workspace is compliant. The auditing policy is not, because the log are not configured to be sent to log analytics

Diagnostic settings for a container group are not visible in the portal, but with the help of pwsh I found out that two log categories are available: ContainerInstanceLog and ContainerEvent

I created a version of the policy in which the log settings are deployed, satisfying the audit policy

Springstone commented 3 months ago

Closing this as we've deprecated all our diagnostic settings policies and shifted to the PG owned initiative to do the same. Please review https://aka.ms/alz/whatsnew for details.

If you find gaps in diagnostic settings coverage, please add the missing services to this discussion: #1644 as this is where we will track this going forward.