Skip to content

Instantly share code, notes, and snippets.

@PlagueHO
Created July 28, 2021 03:40
Show Gist options
  • Save PlagueHO/0e5bf8225a5816576fb457d3e6d8320d to your computer and use it in GitHub Desktop.
Save PlagueHO/0e5bf8225a5816576fb457d3e6d8320d to your computer and use it in GitHub Desktop.
PowerShell function that looks for Azure resources and services that send data to Log Analytics workspaces. Use this to assess the usage of Azure Log Analytics workspaces across a tenant.
#Requires -Modules @{ ModuleName = 'Az.Accounts'; ModuleVersion = '2.5.1' }
#Requires -Modules @{ ModuleName = 'Az.Resources'; ModuleVersion = '4.2.0' }
#Requires -Modules @{ ModuleName = 'Az.Compute'; ModuleVersion = '4.15.0' }
#Requires -Modules @{ ModuleName = 'Az.OperationalInsights'; ModuleVersion = '2.3.0' }
#Requires -Modules @{ ModuleName = 'Az.Aks'; ModuleVersion = '2.2.0' }
<#
.SYNOPSIS
Returns an array Azure Log Analytics workspaces and the resources
that send data to them.
.DESCRIPTION
This function loops through all the Azure subscriptions that the
current Az session has access to and identifies all the Log
Analytics workspace resources. For each workspace it then looks
at the diagnostic settings or other resources (VMs etc) that are
configured to send data to them.
It will currently include:
- Diagnostic Settings extension resources that are set to a Log Analytics workspace
- AKS clusters that are enabled with Container Insights Addon
- Virtual Machines with the Microsoft Monitoring Agent extension enabled
.PARAMETER SubscriptionName
The name of the subscription to limit the search to.
#>
[CmdletBinding()]
param
(
[Parameter()]
[System.String]
$SubscriptionName
)
$subscriptions = Get-AzSubscription @PSBoundParameters
$workspaceSources = @()
foreach ($subscription in $subscriptions)
{
Write-Verbose -Message ('Selecting Azure Subscription {0}.' -f $subscription.Name)
$null = $subscription | Select-AzSubscription
# Add resources with Diagnostic Settings using Log Analytics Workspace
$subscriptionResources = Get-AzResource
foreach ($subscriptionResource in $subscriptionResources)
{
$diagnosticSettings = Get-AzDiagnosticSetting `
-ResourceId $subscriptionResource.ResourceId `
-WarningAction SilentlyContinue `
-ErrorAction SilentlyContinue | Where-Object -FilterScript {
$null -ne $_.Id -and $null -ne $_.WorkspaceId
}
foreach ($diagnosticSetting in $diagnosticSettings)
{
$workspaceId = $diagnosticSetting.WorkspaceId
$workspaceSources += [PSCustomObject] @{
Type = 'Microsoft.Insights/diagnosticSettings'
Description = 'Resource Diagnostic Settings'
ResourceId = $subscriptionResource.Id
ResourceName = $subscriptionResource.Name
SubscriptionName = $subscription.Name
SubscriptionId = $subscription.Id
DiagnosticSettingsName = $diagnosticSetting.Name
WorkspaceName = ($workspaceId -Split '/')[($workspaceId -Split '/').Count -1]
WorkspaceId = $workspaceId
Metrics = $diagnosticSetting.Metrics
Logs = $diagnosticSetting.Logs
}
}
}
# Add AKS clusters using Log Analytics Workspace
$aksClusterContainerInsights = Get-AzAksCluster
foreach ($aksClusterContainerInsight in $aksClusterContainerInsights)
{
$workspaceId = $aksClusterContainerInsight.AddonProfiles.omsAgent.Config['logAnalyticsWorkspaceResourceID']
$workspaceSources += [PSCustomObject] @{
Type = 'Microsoft.ContainerService/ManagedClusters'
Description = 'Container Insights'
ResourceId = $aksClusterContainerInsight.Id
ResourceName = $aksClusterContainerInsight.Name
SubscriptionName = $subscription.Name
SubscriptionId = $subscription.Id
WorkspaceName = ($workspaceId -Split '/')[($workspaceId -Split '/').Count -1]
WorkspaceId = $workspaceId
}
}
# Add Virtual Machines using Log Analytics Workspace
$logAnalyticsWorkspaces = Get-AzOperationalInsightsWorkspace
$virtualMachines = Get-AzVm
foreach ($virtualMachine in $virtualMachines)
{
$vmMonitoringExtension = Get-AzVMExtension -ResourceGroupName $virtualMachine.ResourceGroupName -VMName $virtualMachine.Name -Name 'MicrosoftMonitoringAgent'
if ($null -eq $vmMonitoringExtension)
{
Write-Warning -Message ('Guest OS in virtual machine {0} is not monitored by Log Analytics.' -f $virtualMachine.Name)
}
else
{
$extensionSettings = $vmMonitoringExtension.PublicSettings | ConvertFrom-Json
$customerId = $extensionSettings.workspaceId
$workspaceId = $logAnalyticsWorkspaces | Where-Object -FilterScript { $_.CustomerId -eq $customerId}
$workspaceSources += [PSCustomObject] @{
Type = 'Microsoft.EnterpriseCloud.Monitoring'
Description = 'Virtual Machine MicrosoftMonitoringAgent'
ResourceId = $virtualMachine.Id
ResourceName = $virtualMachine.Name
SubscriptionName = $subscription.Name
SubscriptionId = $subscription.Id
WorkspaceName = ($workspaceId -Split '/')[($workspaceId -Split '/').Count -1]
WorkspaceId = $workspaceId
}
}
}
}
return $workspaceSources
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment