Effective monitoring of resources is critical in a well-managed cloud deployment. Within Azure, diagnostic settings allow you to send performance metrics or logs to a destination such as a Log Analytics workspace, Azure storage account, Event Hub, or an Azure Monitor partner integration.
Configuring diagnostics has always required manually specifying exactly which log types you wish to capture. Azure resources often have many types of diagnostic logs, and it can be difficult for organisations to know what they need. For example, when you are configuring Azure Virtual Desktop logs, you have the following log categories:
Whereas with a Key Vault, you have these options.
Importantly, the monitoring capability of Azure is always changing. Microsoft introduces new log types all the time, such as the recently added NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, and ManagedIdentitySignInLogs for Azure AD. Staying up to date means you must manually update your diagnostic settings to include these new logs.
A great solution to manually specifying logs and having to update diagnostics is to use Category Groups instead.
The working concept of category groups is similar to dynamic user or device groups in Azure AD, where users/devices are added or removed automatically. With Category groups, the groupings are controlled by Microsoft meaning you don’t have to stay up to date on each log category.
Currently, there are two category groups available:
- All Logs – Every resource log offered by the resource
- Audit – All resource logs that record customer interactions with data or the settings of the service
Using category groups, it becomes simple to do something like send Audit Logs to a Log Analytics Workspace, and All Logs to a storage account.
We can configure diagnostic settings using Azure Portal, PowerShell, Azure CLI, Bicep or ARM templates. In this post, we will be using Azure Portal and Bicep. As of writing, not all resources have category groups available, so make sure to reference the documentation for your specific service.
When configuring the Azure Key Vault diagnostic setting using the Azure portal, you will see that we have the following category groups available.
Configuring the same setting using Bicep we can first get the template format reference from here. If we look at the LogSettings we have categoryGroup available.
If we want to enable all logs we can update the categoryGroup setting value to ‘allLogs” in the logsettings section of our bicep template as shown in the screenshot below.