:
【Azure Policy】使用deployIfNotExists 把 Azure Activity logs 导出保存在Storage Account
2024年09月04日 18:36
问题描述
使用Azure Policy,对订阅下的全部Activity Log配置Diagnostic Setting,要求:
- 在Subscription或Management Group级别,针对未启用Activity Log功能的订阅,启用Activity Log功能;
- 对已经启用了Activity log功能的订阅,使用该Policy纠正并统一其参数配置;
- 所收集到的Azure Activity Log存储在特定的Storage Account,保留周期为6个月;
- Activity logs将收集一下log:
-
- Administrative
- Security
- Alert
- Recommendation
- ResourceHealth
问题解答
针对需求,一条一条的匹配
1. 在Subscription或Management Group级别,针对未启用Activity Log功能的订阅,启用Activity Log功能
因为需要Policy Scan的资源为 Subscription,所以第一步是需要扫描所有的订阅资源。然后在检查订阅下的Microsoft.Insights/diagnosticSettings配置。
"policyRule": { "if": { "field": "type", "equals": "Microsoft.Resources/subscriptions" },
2. 对已经启用了Activity log功能的订阅,使用该Policy纠正并统一其参数配置
3. 所收集到的Azure Activity Log存储在特定的Storage Account,保留周期为6个月
第三点中:需要特定的Storage Account,所以把它作为Policy参数进行设置,然后判断storageAccountId 值是否一样。6个月的保留周期设置因为新的UI上没有这个设定值,所以需要创建Storage Account中去设置,不在Policy中实现。
第二点中:要求使用同一个Storage Acocunt,所以这里并不是判断是否配置了Storage Account,而是必须要使用ID相等。
{ "field": "Microsoft.Insights/diagnosticSettings/storageAccountId", "equals": "[parameters('storageAccount')]" },
4. Activity logs将收集一下log: a). Administrative b). Security c). Alert d). Recommendation e). ResourceHealth
因为DiagnosticSettings 在ARM资源中是数组对象,所以使用logs[*] , 并且通过count where equals 运算符。
当Policy的条件满足后,接下来就是需要考虑DeployIfNotExists的配置了
- ExistenceScope : 允许的值为 Subscription 和 ResourceGroup, 但是默认值为Resource Group。所以此处必须修改为Subscription
- ExistenceCondition :如果任何匹配的相关资源评估结果为 true,该效果就会得到满足并且不会触发部署。
- DeploymentScope:允许的值为 Subscription 和 ResourceGroup, 默认值是 ResourceGroup。因为修改的资源为订阅的诊断配置。所以需要设置该值,并且也必须在Deployment中指定location属性。否则会遇见the location is missing 报错。
完整的Policy
1 { 2 "mode": "All", 3 "policyRule": { 4 "if": { 5 "field": "type", 6 "equals": "Microsoft.Resources/subscriptions" 7 }, 8 "then": { 9 "effect": "[parameters('effect')]", 10 "details": { 11 "type": "Microsoft.Insights/diagnosticSettings", 12 "ExistenceScope": "Subscription", 13 "existenceCondition": { 14 "allOf": [ 15 { 16 "field": "Microsoft.Insights/diagnosticSettings/storageAccountId", 17 "equals": "[parameters('storageAccount')]" 18 }, 19 { 20 "count": { 21 "field": "Microsoft.Insights/diagnosticSettings/logs[*]", 22 "where": { 23 "allOf": [ 24 { 25 "anyof": [ 26 { 27 "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", 28 "equals": "Administrative" 29 }, 30 { 31 "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", 32 "equals": "Security" 33 }, 34 { 35 "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", 36 "equals": "Alert" 37 }, 38 { 39 "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", 40 "equals": "Recommendation" 41 }, 42 { 43 "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", 44 "equals": "ResourceHealth" 45 } 46 ] 47 }, 48 { 49 "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", 50 "equals": "true" 51 } 52 ] 53 } 54 }, 55 "equals": 5 56 } 57 ] 58 }, 59 "deploymentScope": "subscription", 60 "deployment": { 61 "location": "chinaeast2", 62 "properties": { 63 "mode": "incremental", 64 "template": { 65 "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", 66 "contentVersion": "1.0.0.0", 67 "parameters": { 68 "storageAccount": { 69 "type": "string" 70 }, 71 "logsEnabled": { 72 "type": "string" 73 }, 74 "profileName": { 75 "type": "string" 76 } 77 }, 78 "variables": {}, 79 "resources": [ 80 { 81 "type": "Microsoft.Insights/diagnosticSettings", 82 "apiVersion": "2017-05-01-preview", 83 "name": "[parameters('profileName')]", 84 "location": "global", 85 "dependsOn": [], 86 "properties": { 87 "storageAccountId": "[parameters('storageAccount')]", 88 "logs": [ 89 { 90 "category": "Administrative", 91 "enabled": "[parameters('logsEnabled')]" 92 }, 93 { 94 "category": "Security", 95 "enabled": "[parameters('logsEnabled')]" 96 }, 97 { 98 "category": "Alert", 99 "enabled": "[parameters('logsEnabled')]" 100 }, 101 { 102 "category": "Recommendation", 103 "enabled": "[parameters('logsEnabled')]" 104 }, 105 { 106 "category": "ResourceHealth", 107 "enabled": "[parameters('logsEnabled')]" 108 } 109 ] 110 } 111 } 112 ], 113 "outputs": {} 114 }, 115 "parameters": { 116 "storageAccount": { 117 "value": "[parameters('storageAccount')]" 118 }, 119 "logsEnabled": { 120 "value": "[parameters('logsEnabled')]" 121 }, 122 "profileName": { 123 "value": "[parameters('profileName')]" 124 } 125 } 126 } 127 }, 128 "roleDefinitionIds": [ 129 "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", 130 "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" 131 ] 132 } 133 } 134 }, 135 "parameters": { 136 "effect": { 137 "type": "String", 138 "metadata": { 139 "displayName": "Effect", 140 "description": "Enable or disable the execution of the policy" 141 }, 142 "allowedValues": [ 143 "DeployIfNotExists", 144 "Disabled" 145 ], 146 "defaultValue": "DeployIfNotExists" 147 }, 148 "profileName": { 149 "type": "String", 150 "metadata": { 151 "displayName": "Profile name", 152 "description": "The diagnostic settings profile name" 153 }, 154 "defaultValue": "setbypolicy_storageaccount" 155 }, 156 "storageAccount": { 157 "type": "String", 158 "metadata": { 159 "displayName": "Storage Account Name", 160 "description": "Select storage account from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", 161 "strongType": "Microsoft.Storage/storageAccounts", 162 "assignPermissions": true 163 }, 164 "defaultValue": "/subscriptions/<subscription id>/resourcegroups/<resource group name>/providers/microsoft.storage/storageaccounts/<storage account name>" 165 }, 166 "logsEnabled": { 167 "type": "String", 168 "metadata": { 169 "displayName": "Enable logs", 170 "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" 171 }, 172 "allowedValues": [ 173 "True", 174 "False" 175 ], 176 "defaultValue": "True" 177 } 178 } 179 }
可能遇见的错误
1: location 错误
|
"deploymentScope": "subscription", "deployment": { "location": "chinaeast2", "properties": { |
|
Code LocationNotAvailableForDeployment Message The provided location 'global' is not available for deployment. List of available regions is 'chinaeast2,chinaeast,chinanorth3,chinanorth,chinanorth2'. |
|
Note: If the location is missing or the value is incorrect, you will encounter the LocationNotAvailableForDeployment error, the Error Message will be "The provided location 'global' is not available for deployment. List of available regions is 'chinaeast2, chinaeast, chinanorth3, chinanorth, chinanorth2'." |
2:设置: logs[*].enabled条件错误
{ "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", "equals": "true" }
结果:
3: 设置:logs[*].category 条件错误
{ "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", "equals": "Administrative" }
结果:
参考资料
- Azure Policy 模式:count 运算符 : https://docs.azure.cn/zh-cn/governance/policy/samples/pattern-count-operator
- 了解 [*] 别名 : https://docs.azure.cn/zh-cn/governance/policy/concepts/definition-structure#understanding-the--alias
- DeployIfNotExists 评估 :https://docs.azure.cn/zh-cn/governance/policy/concepts/effects#deployifnotexists-evaluation
From:https://www.cnblogs.com/lulight/p/18397233
本文地址: http://shuzixingkong.net/article/1736
前言 今天大姚给大家分享一个开源、免费(MIT License)、跨平台的.NET UI框架:Avalonia UI。 Avalonia是一个成熟稳定的平台,用于构建桌面、嵌入式、移动的和Web应用程序。一个代码库,无限可能!!! 项目介绍 Avalonia是一个强大的框架,使开发人员能够使用.NE
项目上遇到使用WebSocket超时问题,具体情况是这样的,OTA升级过程中,解压zip文件会有解压进度事件,将解压进度通过进程通信传给另一进程,通信提示超时异常 小伙伴堂园发现大文件使用Zip解压,解压进度事件间隔竟然是1ms,简直超大频率啊 但是,解压事件超频也不应该通信异常啊,于是我通过1ms
什么是docker环境 Docker环境是指在计算机中安装和配置了Docker引擎的运行环境。Docker是一种容器化平台,它提供了一种轻量级的虚拟化技术,能够将应用程序及其依赖项打包成一个独立的容器,以实现快速部署、可移植性和易于管理的优势。(Docker环境提供了一种方便、可移植和隔离的方式来管
最近发现服务器上某个web站点老是CPU很高,该站点部署在IIS上,我IIS上有多个站点,每个站点一个进程池,每个进程池取名都是根据站点来取的,所以很容易看出哪个站点吃掉的CPU,该站点已运行十几年,是基于.net 4.8 framework 编写的web站点(十几年的老项目重构的话就不用提,新项目
上一章我们成功部署了bcache,这一章我们将Ceph与Bcache结合来使用,使用Bcache来为ceph的数据盘提速。 1 ceph 架构 一个标准的ceph集群可能是如下的架构,SSD/NVME 存储元数据,而SATA盘存储数据。这样的架构下,物理介质的SATA盘读写速率上限决定了存储集群Ce
这是24年1月份写的了,调用代码大概率有变动,仅供参考。 1 什么是OpenAI的TTS模型 OpenAI的TTS模型是一种文本到语音(Text-to-Speech)模型,它可以将给定的文本转换为自然语音音频。TTS代表Text-to-Speech,是一种人工智能技术,它使计算机能够模拟自然语言的声
C#用户控件之仪表盘 如何让温度、湿度、压力等有量程的监控值如仪表盘(DashBoard)一样显示? 思路(GDI绘图): 定义属性:(仪表盘的半径、颜色、间隙;刻度圆的半径、颜色、字体;指针的颜色、占比;文本的字体、占比;) 绘制图形:(半圆、刻度、指针、中心、文本) 定义属性(将以上属性挨个敲完
代码整洁之道 简介: 本书是编程大师“Bob 大叔”40余年编程生涯的心得体会的总结,讲解要成为真正专业的程序员需要具备什么样的态度,需要遵循什么样的原则,需要采取什么样的行动。作者以自己以及身边的同事走过的弯路、犯过的错误为例,意在为后来者引路,助其职业生涯迈上更高台阶。 本书适合所有程序员阅读,
