Support multiple log analytics workspace destinations in the Deploy-* policies

[craigthackerx]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

I want to be able to stream all AzureDiagnostic and all AzActivity table logs to a different log analytics workspace. As it stands, the policy defintions accept a string for destination workspace, so when diagnostic settings are deployed, it deploys a single setting to the workspace created in the other parts of the deployment.

Describe the solution you'd like

It would be helpful if instead of a string for workspace ID, a list of string is accepted where the ID of each log analytics workspace can be propagated into the template file. It would be helpful if a user provided parameter could check for this also.

Additional context

It may also be helpful to add a feature to allow deployment of storage or eventhub diagnostic settings.

[SteveBurkettNZ]

We also come across this, where we want to fire telemetry data to an operational Log Analytics workspace and audit/security logs to a security Log Analytics workspace (for ingestion into Microsoft Sentinel). Too expensive otherwise.

[matt-FFFFFF]

Hi - this is a change to the policy definitions, which are not maintained in this repo.

moving upstream

[matt-FFFFFF]

Adding @springstone and /cc @jtracey93

[craigthackerx]

Hey folks, any further forward on this?

[Springstone]

@craigthackerx Sorry we haven't been super responsive, we're busy transitioning Diagnostic Settings away from ALZ. In the next policy refresh (part of which is PR #1641), we're deprecating all our custom policies and assigning by default all logging to a centrally defined workspace. For your requirements, there are additional initiatives (published on 15 May 2024) that will allow you to target other destinations (including storage, Event Hub, Log Analytics), and the nature of categories you want to capture logs for (All Logs or Audit logs only). You can create an additional assignment targeting the destination you want for the log category you want (just make sure you change the "diagnosticSettingName" for each assignment!