Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Set up Log Analytics workspace
Install-Module azuread
New-AzureADGroup -Description "Log Analytics Reader Group" -DisplayName "Log Analytics Reader Group" -MailEnabled $false -SecurityEnabled $true -MailNickName "LogAnalyticsReaderGroup"
$ORGANIZATION_NAME = "Az Days"
$LOCATION = "Central US"
$LOCATION_ABBR= "cenus"
$SUBSCRIPTION_ID = "7005478c-99cb-4b5d-a56c-d60abc23d6af"
$ENVIRONMENT = "Prod"
$COSTCENTER = "Corporate"
$OWNER = "bruce@azdays.com"
$createdData = Get-Date -Format "yyyy-MM-dd"
$tags = @{"Cost Center"=$COSTCENTER; "Location"=$LOCATION; "Environment"=$ENVIRONMENT; "Project"=$ORGANIZATION_NAME; "Owner"=$OWNER; "Created Date"=$createdData; "Tier"="Management" }
$OrganizationName = $ORGANIZATION_NAME -replace '\s', ''
$OrganizationName = $OrganizationName.ToLower()
if ($SubscriptionId -eq $null) {
$SubscriptionId = (Get-AzContext).Subscription.SubscriptionId
}
Set-AzContext -Name ($OrganizationName + "Context") -SubscriptionId $subscriptionID -Force
#############
# Create shared resource group for management organization
#############
$resourceGroupName = "rg-$LOCATION_ABBR-$OrganizationName-$ENVIRONMENT-management"
New-AzResourceGroup `
-Name $resourceGroupName `
-Location $Location_lc `
-Tag $tags
Get-AzResourceGroup -Name $resourceGroupName
Write-Host "Created or updated: " $ResourceGroupName
#Requires -Version 7.0
#Requires -Modules PowerShellGet, Az, Az.Storage, , Az.Resources
<#
.SYNOPSIS
Add-LogAnalytics adds resource group, log analytics workspace as a shared resource, using loganalytics.deploy.json file in the same directory.
.DESCRIPTION
Creates a shared resource group, a storage account attached and a new log analytics workspace resource.
.PARAMETER SubscriptionID
Mandatory. The Azure Subscription ID, such as "9f241d6e-16e2-4b2b-a485-cc546f04799b"
.PARAMETER OrganizationName
Mandatory. Name of organization. (used to create the resource group and the common resources.
.PARAMETER CostCenter
Optional. Cost center for this resource. Used for tags. Default is "Administration"
.PARAMETER Environment
One for each region. So the default is 'mgmt' for the Environment for tags
.PARAMETER Location
You will need to specify the location for regions other than West US 2
.PARAMETER LocationAbbr
You will need to specify the location for regions other than West US 2
.PARAMETER Owner
The owner is tagged in the resource group and resource
.RETURN
The name of the resource group created
.NOTES
Version: 1.0.1
Author: Bruce Kyle
Creation Date: 6/5/2020
Purpose/Change: Update example
Requires:
- Connection to Azure
Copyright 2020 Stretegic Datatech LLC
License: MIT https://opensource.org/licenses/MIT
.EXAMPLE
$ORGANIZATION_NAME = "AzDays"
$LOCATION = "Central US"
.\Add-LogAnalytics.ps1 -SubscriptionID 9f241d6e-16e2-4b2b-a485-cc546f04799b `
-OrganizationName $ORGANIZATION_NAME -Location $LOCATION -LocationAbbr 'cus'
#>
[CmdletBinding()]
#--------[Params]---------------
Param(
[Parameter(Mandatory=$false)] [string] $SubscriptionID,
[Parameter(Mandatory)] [string] $OrganizationName,
[Parameter(Mandatory=$false)] [string] $CostCenter = "Administration",
[Parameter(Mandatory=$false)] [string] $Environment='mgmt',
[Parameter(Mandatory=$false)] [string] $Location="West US 2",
[Parameter(Mandatory=$false)] [string] $LocationAbbr='wus2',
[Parameter(Mandatory=$false)] [string] $Owner = $env:UserName
)
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
try
{
Set-AzContext -Name ($OrganizationName + "Context") -SubscriptionId $subscriptionID -Force
$Location_lc = $LOCATION -replace '\s', ''
$Location_lc = $Location_lc.ToLower()
#############
# Deploy log analytics with storage account
#############
$deploymentName = $ResourceGroupName.substring(3) + "-management-deployment"
Write-Host "Deployment name: " $deploymentName
# accepting the defaults for the other items
$paramObject = @{
'organization' = $OrganizationName
}
$parameters = @{
'Name' = $deploymentName
'ResourceGroupName' = $ResourceGroupName
'TemplateFile' = '.\loganalytics-deploy.json'
'TemplateParameterObject' = $paramObject
'Verbose' = $true
}
New-AzResourceGroupDeployment @parameters
$loganalyticsResourceID = @(Get-AzResourceGroupDeployment `
-ResourceGroupName $ResourceGroupName `
-Name $ResourceGroupName).Outputs.resourceID.value
}
catch
{
$loganalyticsResourceID = $null;
echo "Completed Log analytics failed"
}
finally
{
echo "Completed Log analytics creation: $loganalyticsResourceID"
}
return $loganalyticsResourceID
$LOG_ANALYTICS_RESOURCE_ID = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/oi-default-east-us/providers/microsoft.operationalinsights/workspaces/myworkspace"
$KEY_VAULE_RESOURCE_ID = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault"
Set-AzDiagnosticSetting -Name KeyVault-Diagnostics -ResourceId $KEY_VAULE_RESOURCE_ID `
-Category AuditEvent -MetricCategory AllMetrics -Enabled $true `
-WorkspaceId $LOG_ANALYTICS_RESOURCE_ID
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"organization": {
"type": "string",
"metadata": {
"description": "Organization name. For example: AzDays"
}
},
"service-tier": {
"type": "string",
"defaultValue": "PerNode",
"allowedValues": [
"Free",
"Standalone",
"PerNode",
"PerGB2018"
],
"metadata": {
"description": "Service Tier: Free, Standalone, or PerNode"
}
},
"data-retention": {
"type": "int",
"defaultValue": 365,
"minValue": 0,
"maxValue": 365,
"metadata": {
"description": "Number of days data will be retained for."
}
},
"location": {
"type": "string",
"defaultValue": "West US 2",
"allowedValues": [
"australiacentral",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"canadacentral",
"centralindia",
"centralus",
"eastasia",
"eastus",
"eastus2",
"francecentral",
"japaneast",
"koreacentral",
"northcentralus",
"northeurope",
"southafricanorth",
"southcentralus",
"southeastasia",
"uksouth",
"ukwest",
"westcentralus",
"westeurope",
"westus",
"westus2"
],
"metadata": {
"description": "Region used when establishing the workspace."
}
},
"tags": {
"type": "object",
"defaultValue": {
"Cost Center": "[resourceGroup().tags['Cost Center']]",
"Location": "[resourceGroup().tags['Location']]",
"Environment": "[resourceGroup().tags['Environment']]",
"Owner": "[resourceGroup().tags['Owner']]",
"Organization": "[parameters('organization')]",
"Created Date": "[resourceGroup().tags['Created Date']]",
"Tier": "[resourceGroup().tags['Tier']]"
}
},
},
"variables": {
"deployment-prefix": "[concat('workload-', parameters('organization'))]",
"uniqueString": "[uniqueString(subscription().id, concat(variables('deployment-prefix'), '-log'))]",
"diagnostic-storageAccount-prefix": "[concat(, 'diag', replace(variables('deployment-prefix'), '-', ''))]",
"diagnostic-storageAccount-name": "[toLower(substring(replace(concat(variables('diagnostic-storageAccount-prefix'), variables('uniqueString'), variables('uniqueString')), '-', ''), 0, 23) )]",
"oms-workspace-name": "[concat('log-', variables('deployment-prefix'))]"
},
"resources": [
{
"comments": "----DIAGNOSTICS STORAGE ACCOUNT-----",
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('diagnostic-storageAccount-name')]",
"apiVersion": "2019-06-01",
"location": "[resourceGroup().location]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"tags": "[parameters('tags')]",
"properties": {
"supportsHttpsTrafficOnly": true,
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"apiVersion": "2016-09-01",
"name": "[concat(variables('diagnostic-storageAccount-name'), '/Microsoft.Authorization/storageDoNotDelete')]",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', variables('diagnostic-storageAccount-name'))]"
],
"comments": "Resource lock on diagnostic storage account",
"properties": {
"level": "CannotDelete"
}
},
{
"apiVersion": "2015-11-01-preview",
"location": "[parameters('location')]",
"name": "[variables('oms-workspace-name')]",
"properties": {
"sku": {
"Name": "[parameters('service-tier')]"
},
"retention": "[parameters('data-retention')]"
},
"tags": {},
"type": "Microsoft.OperationalInsights/workspaces"
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/locks",
"apiVersion": "2016-09-01",
"name": "[concat(variables('oms-workspace-name'), '/Microsoft.Authorization/logAnalyticsDoNotDelete')]",
"dependsOn": [
"[variables('oms-workspace-name')]"
],
"comments": "Resource lock on Log Analytics",
"properties": {
"level": "CannotDelete"
}
}
],
"outputs": {
"resourceID": {
"type": "string",
"value": "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]"
},
"workspaceName":{
"type": "string",
"value": "[variables('omsWorkspaceName')]"
},
"workspaceId":{
"type": "string",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', variables('omsWorkspaceName')), '2017-04-26-preview').customerId]"
},
"workspaceKey":{
"type": "string",
"value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', variables('omsWorkspaceName')), '2017-04-26-preview').primarySharedKey]"
}
}
}
Logs
| where Level == "Critical"
| count
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"description": "Workspace name"
}
},
"sku": {
"type": "string",
"allowedValues": [
"PerGB2018",
"Free",
"Standalone",
"PerNode",
"Standard",
"Premium"
],
"defaultValue": "pergb2018",
"metadata": {
"description": "Pricing tier: pergb2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
}
},
"dataRetention": {
"type": "int",
"defaultValue": 30,
"minValue": 7,
"maxValue": 730,
"metadata": {
"description": "Number of days of retention. Workspaces in the legacy Free pricing tier can only have 7 days."
}
},
"immediatePurgeDataOn30Days": {
"type": "bool",
"defaultValue": "[bool('false')]",
"metadata": {
"description": "If set to true, changing retention to 30 days will immediately delete older data. Use this with extreme caution. This only applies when retention is being set to 30 days."
}
},
"location": {
"type": "string",
"allowedValues": [
"australiacentral",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"canadacentral",
"centralindia",
"centralus",
"eastasia",
"eastus",
"eastus2",
"francecentral",
"japaneast",
"koreacentral",
"northcentralus",
"northeurope",
"southafricanorth",
"southcentralus",
"southeastasia",
"uksouth",
"ukwest",
"westcentralus",
"westeurope",
"westus",
"westus2"
],
"metadata": {
"description": "Specifies the location in which to create the workspace."
}
},
"applicationDiagnosticsStorageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account with Azure diagnostics output"
}
},
"applicationDiagnosticsStorageAccountResourceGroup": {
"type": "string",
"metadata": {
"description": "The resource group name containing the storage account with Azure diagnostics output"
}
},
"customLogName": {
"type": "string",
"metadata": {
"description": "The custom log name"
}
}
},
"variables": {
"Updates": {
"Name": "[Concat('Updates', '(', parameters('workspaceName'), ')')]",
"GalleryName": "Updates"
},
"AntiMalware": {
"Name": "[concat('AntiMalware', '(', parameters('workspaceName'), ')')]",
"GalleryName": "AntiMalware"
},
"SQLAssessment": {
"Name": "[Concat('SQLAssessment', '(', parameters('workspaceName'), ')')]",
"GalleryName": "SQLAssessment"
},
"diagnosticsStorageAccount": "[resourceId(parameters('applicationDiagnosticsStorageAccountResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('applicationDiagnosticsStorageAccountName'))]"
},
"resources": [
{
"apiVersion": "2017-03-15-preview",
"type": "Microsoft.OperationalInsights/workspaces",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"properties": {
"retentionInDays": "[parameters('dataRetention')]",
"features": {
"immediatePurgeDataOn30Days": "[parameters('immediatePurgeDataOn30Days')]"
},
"sku": {
"name": "[parameters('sku')]"
}
},
"resources": [
{
"apiVersion": "2015-03-20",
"name": "VMSS Queries2",
"type": "savedSearches",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"eTag": "*",
"category": "VMSS",
"displayName": "VMSS Instance Count",
"query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer",
"version": 1
}
},
{
"apiVersion": "2017-04-26-preview",
"name": "Cross workspace function",
"type": "savedSearches",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"etag": "*",
"displayName": "failedLogOnEvents",
"category": "Security",
"FunctionAlias": "failedlogonsecurityevents",
"query": "
union withsource=SourceWorkspace
workspace('workspace1').SecurityEvent,
workspace('workspace2').SecurityEvent,
workspace('workspace3').SecurityEvent,
| where EventID == 4625"
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "datasources",
"name": "sampleWindowsEvent1",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "WindowsEvent",
"properties": {
"eventLogName": "Application",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
}
]
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "datasources",
"name": "sampleWindowsPerfCounter1",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "WindowsPerformanceCounter",
"properties": {
"objectName": "Memory",
"instanceName": "*",
"intervalSeconds": 10,
"counterName": "Available MBytes"
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "datasources",
"name": "sampleIISLog1",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "IISLogs",
"properties": {
"state": "OnPremiseEnabled"
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "datasources",
"name": "sampleSyslog1",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "LinuxSyslog",
"properties": {
"syslogName": "kern",
"syslogSeverities": [
{
"severity": "emerg"
},
{
"severity": "alert"
},
{
"severity": "crit"
},
{
"severity": "err"
},
{
"severity": "warning"
}
]
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "datasources",
"name": "sampleSyslogCollection1",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "LinuxSyslogCollection",
"properties": {
"state": "Enabled"
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "datasources",
"name": "sampleLinuxPerf1",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "LinuxPerformanceObject",
"properties": {
"performanceCounters": [
{
"counterName": "% Used Inodes"
},
{
"counterName": "Free Megabytes"
},
{
"counterName": "% Used Space"
},
{
"counterName": "Disk Transfers/sec"
},
{
"counterName": "Disk Reads/sec"
},
{
"counterName": "Disk Writes/sec"
}
],
"objectName": "Logical Disk",
"instanceName": "*",
"intervalSeconds": 10
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "dataSources",
"name": "[concat(parameters('workspaceName'), parameters('customLogName'))]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', '/', parameters('workspaceName'))]"
],
"kind": "CustomLog",
"properties": {
"customLogName": "[parameters('customLogName')]",
"description": "this is a description",
"extractions": [
{
"extractionName": "TimeGenerated",
"extractionProperties": {
"dateTimeExtraction": {
"regex": [
{
"matchIndex": 0,
"numberdGroup": null,
"pattern": "((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9]"
}
]
}
},
"extractionType": "DateTime"
}
],
"inputs": [
{
"location": {
"fileSystemLocations": {
"linuxFileTypeLogPaths": null,
"windowsFileTypeLogPaths": [
"[concat('c:\\Windows\\Logs\\',parameters('customLogName'))]"
]
}
},
"recordDelimiter": {
"regexDelimiter": {
"matchIndex": 0,
"numberdGroup": null,
"pattern": "(^.*((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9].*$)"
}
}
}
]
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "datasources",
"name": "sampleLinuxPerfCollection1",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "LinuxPerformanceCollection",
"properties": {
"state": "Enabled"
}
},
{
"apiVersion": "2015-03-20",
"name": "[concat(parameters('applicationDiagnosticsStorageAccountName'),parameters('workspaceName'))]",
"type": "storageinsightconfigs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"containers": [
"wad-iis-logfiles"
],
"tables": [
"WADWindowsEventLogsTable"
],
"storageAccount": {
"id": "[variables('diagnosticsStorageAccount')]",
"key": "[listKeys(variables('diagnosticsStorageAccount'),'2015-06-15').key1]"
}
}
},
{
"apiVersion": "2015-11-01-preview",
"location": "[parameters('location')]",
"name": "[variables('Updates').Name]",
"type": "Microsoft.OperationsManagement/solutions",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('Updates').Name)]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('Updates').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('Updates').GalleryName)]",
"promotionCode": ""
}
},
{
"apiVersion": "2015-11-01-preview",
"location": "[parameters('location')]",
"name": "[variables('AntiMalware').Name]",
"type": "Microsoft.OperationsManagement/solutions",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('AntiMalware').Name)]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('AntiMalware').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('AntiMalware').GalleryName)]",
"promotionCode": ""
}
},
{
"apiVersion": "2015-11-01-preview",
"location": "[parameters('location')]",
"name": "[variables('SQLAssessment').Name]",
"type": "Microsoft.OperationsManagement/solutions",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('SQLAssessment').Name)]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('SQLAssessment').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('SQLAssessment').GalleryName)]",
"promotionCode": ""
}
}
]
}
],
"outputs": {
"workspaceName": {
"type": "string",
"value": "[parameters('workspaceName')]"
},
"provisioningState": {
"type": "string",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')), '2015-11-01-preview').provisioningState]"
},
"source": {
"type": "string",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')), '2015-11-01-preview').source]"
},
"customerId": {
"type": "string",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')), '2015-11-01-preview').customerId]"
},
"sku": {
"type": "string",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')), '2015-11-01-preview').sku.name]"
},
"retentionInDays": {
"type": "int",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')), '2015-11-01-preview').retentionInDays]"
},
"immediatePurgeDataOn30Days": {
"type": "bool",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')), '2015-11-01-preview').features.immediatePurgeDataOn30Days]"
},
"portalUrl": {
"type": "string",
"value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')), '2015-11-01-preview').portalUrl]"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment