search

Azure / azure-monitor-baseline-alerts

Azure Monitor Baseline Alerts
MIT License
160 stars 230 forks source link

[Question/Feedback]: Error Remediating Alerts of Type, "Log search alert rule" in Azure Gov Cloud #376

Open NathanHodges05 opened 1 week ago

NathanHodges05 commented 1 week ago

Check for previous/existing GitHub issues

Description

I keep running into errors when trying to remediate alerts that are Log Search Alert Rules in Azure Gov Cloud. These are Microsoft.Insights/scheduledQueryRules. An example is Deploy-VM-HeartBeat-Alert.json. The query is found on line 445. Another example is Deploy-LAWorkspace-DailyCapLimitReached-Alert.json and that query is on line 364.

The raw error I get when remediating is:

  "message": "{\r\n  \"error\": {\r\n    \"message\": \"The request had some invalid properties\",\r\n    \"code\": \"BadArgumentError\",\r\n    \"correlationId\": \"<correlationId>\",\r\n    \"innererror\": {\r\n      \"code\": \"QueryValidationError\",\r\n      \"message\": \"ADX reference is of incorrect format: \"\r\n    }\r\n  }\r\n}"
}

] }

I get the same error when creating this alert manually in the portal and using that query. Image

This was NOT an issue when deploying to Azure commercial cloud. Those remediated perfectly fine, and the query runs when testing in the portal as shown below. Image

Is there a known query that will work in Azure Gov Cloud for these 11 virtual machine policies and the Daily Cap Limit alert policy? // Used in VM Policy Set Definition loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-DataDiskReadLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-DataDiskSpace-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-DataDiskWriteLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-HeartBeat-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-NetworkIn-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-NetworkOut-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-OSDiskReadLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-OSDiskSpace-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-OSDiskWriteLatency-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-PercentCPU-Alert.json') loadTextContent('../../../services/Compute/virtualMachines/Deploy-VM-PercentMemory-Alert.json') // Used in Management policy definitions only loadTextContent('../../../services/OperationalInsights/workspaces/Deploy-LAWorkspace-DailyCapLimitReached-Alert.json')

Thank you for your assistance.

Brunoga-MS commented 1 week ago

Hello @NathanHodges05 , thanks for your feedback. AMBA-ALZ is not officially supported on AzureGov environment. Unfortunately, there's no alternative to run the queries you are referring to and use the same feature of looking into Azure Graph Explorer. I suspect a different alignment between Azure Public Cloud and Azure Gov for the feature documented at Query data in Azure Resource Graph by using arg() (Preview), which is still preview. Could you please ensure that VMInsights has been correctly configured and clarify if you are using a normal workspace or anything different?

Thanks, Bruno