Open bigj51 opened 3 years ago
For anyone wanting to know how to do this:
Prereq:
Steps:
Add an encrypted automation variable to the CA automation account named "eh_conn":
New-AzAutomationVariable -Encrypted $True -AutomationAccountName <your value> -Name "eh_conn" -ResourceGroupName <your value> -Value "{'EventHubNamespace' : '<your value>', 'EventHubName' : '<your value>', 'EventHubSendKeyName' : '<your value>','EventHubSendKey' : '<your value>'}"
Edit [org-name]\CA-Runbook\RunbookScanAgent.ps1 (defaults to desktop)
Find the comment "# Main ScanAgent code" (currently around line 709, ver 4.14)
In the "try" block add this code:
Write-Output("SA: Setting up event hub endpoint...")
$eh_conn = Get-AutomationVariable -Name "eh_conn"
$eh_conn = $eh_conn | convertfrom-json
Set-AzSKEventHubSettings -EventHubNamespace $eh_conn.EventHubNamespace -EventHubName $eh_conn.EventHubName
-EventHubSendKeyName $eh_conn.EventHubSendKeyName -EventHubSendKey $eh_conn.EventHubSendKey #-Source "CA"
Write-Output("SA: DONE Setting up event hub endpoint")
Push the config to the storage account with Update-AzSKOrganizationPolicy
Please let us know if you still have any issues here or we are good to close this issue as I can see you have already shared a solution that I believe worked for you.
Thanks, Ritika
Enable Eventhub output for Central CAs
Description
Currently Eventhub is only supported for ad-hoc and SDL scans. It would be nice to have this feature for central mode CAs as well, to be able to action in real time.
I'm currently running 100 CAs in central mode to scan 900+ subscriptions with over 1 million+ resources. While i can run jobs against the LAW to perform actions, it would be nice to fit this into a real time automation system
Steps to reproduce
N/A
Expected behavior
Central mode CAs write events to an Eventhub
Actual behavior
Not support in CAs