|
1 | 1 | --- |
2 | 2 | title: Archive Azure Diagnostic Logs |
3 | 3 | description: Learn how to archive your Azure Diagnostic Logs for long-term retention in a storage account. |
4 | | -author: johnkemnetz |
| 4 | +author: nkiest |
5 | 5 | services: azure-monitor |
6 | 6 | ms.service: azure-monitor |
7 | 7 | ms.topic: conceptual |
8 | 8 | ms.date: 07/18/2018 |
9 | | -ms.author: johnkem |
| 9 | +ms.author: nikiest |
10 | 10 | ms.subservice: logs |
11 | 11 | --- |
12 | 12 | # Archive Azure Diagnostic Logs |
13 | 13 |
|
14 | 14 | In this article, we show how you can use the Azure portal, PowerShell Cmdlets, CLI, or REST API to archive your [Azure diagnostic logs](diagnostic-logs-overview.md) in a storage account. This option is useful if you would like to retain your diagnostic logs with an optional retention policy for audit, static analysis, or backup. The storage account does not have to be in the same subscription as the resource emitting logs as long as the user who configures the setting has appropriate RBAC access to both subscriptions. |
15 | 15 |
|
16 | | -> [!WARNING] |
17 | | -> The format of the log data in the storage account will change to JSON Lines on Nov. 1st, 2018. [See this article for a description of the impact and how to update your tooling to handle the new format.](./../../azure-monitor/platform/diagnostic-logs-append-blobs.md) |
18 | | -> |
19 | | -> |
20 | | -
|
21 | 16 | ## Prerequisites |
22 | 17 |
|
23 | 18 | Before you begin, you need to [create a storage account](../../storage/common/storage-quickstart-create-account.md) to which you can archive your diagnostic logs. We highly recommend that you do not use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to monitoring data. However, if you are also archiving your Activity log and diagnostic metrics to a storage account, it may make sense to use that storage account for your diagnostic logs as well to keep all monitoring data in a central location. |
24 | 19 |
|
25 | | -> [!NOTE] |
26 | | -> You cannot currently archive data to a storage account that behind a secured virtual network. |
27 | | -
|
28 | 20 | ## Diagnostic settings |
29 | 21 |
|
30 | | -To archive your diagnostic logs using any of the methods below, you set a **diagnostic setting** for a particular resource. A diagnostic setting for a resource defines the categories of logs and metric data sent to a destination (storage account, Event Hubs namespace, or Log Analytics workspace). It also defines the retention policy (number of days to retain) for events of each log category and metric data stored in a storage account. If a retention policy is set to zero, events for that log category are stored indefinitely (that is to say, forever). A retention policy can otherwise be any number of days between 1 and 2147483647. [You can read more about diagnostic settings here](../../azure-monitor/platform/diagnostic-logs-overview.md#diagnostic-settings). Retention policies are applied per-day, so at the end of a day (UTC), logs from the day that is now beyond the retention policy will be deleted. For example, if you had a retention policy of one day, at the beginning of the day today the logs from the day before yesterday would be deleted. The delete process begins at midnight UTC, but note that it can take up to 24 hours for the logs to be deleted from your storage account. |
| 22 | +To archive your diagnostic logs using any of the methods below, you set a **diagnostic setting** for a particular resource. A diagnostic setting for a resource defines the categories of logs and metric data sent to a destination (storage account, Event Hubs namespace, or Log Analytics workspace). It also defines the retention policy (number of days to retain) for events of each log category and metric data stored in a storage account. If a retention policy is set to zero, events for that log category are stored indefinitely (that is to say, forever). A retention policy can otherwise be any number of days between 1 and 365. [You can read more about diagnostic settings here](../../azure-monitor/platform/diagnostic-logs-overview.md#diagnostic-settings). Retention policies are applied per-day, so at the end of a day (UTC), logs from the day that is now beyond the retention policy will be deleted. For example, if you had a retention policy of one day, at the beginning of the day today the logs from the day before yesterday would be deleted. The delete process begins at midnight UTC, but note that it can take up to 24 hours for the logs to be deleted from your storage account. |
31 | 23 |
|
32 | 24 | > [!NOTE] |
33 | 25 | > Sending multi-dimensional metrics via diagnostic settings is not currently supported. Metrics with dimensions are exported as flattened single dimensional metrics, aggregated across dimension values. |
@@ -65,14 +57,14 @@ After a few moments, the new setting appears in your list of settings for this r |
65 | 57 | [!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)] |
66 | 58 |
|
67 | 59 | ``` |
68 | | -Set-AzDiagnosticSetting -ResourceId /subscriptions/s1id1234-5679-0123-4567-890123456789/resourceGroups/testresourcegroup/providers/Microsoft.Network/networkSecurityGroups/testnsg -StorageAccountId /subscriptions/s1id1234-5679-0123-4567-890123456789/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -Categories networksecuritygroupevent,networksecuritygrouprulecounter -Enabled $true -RetentionEnabled $true -RetentionInDays 90 |
| 60 | +Set-AzDiagnosticSetting -ResourceId /subscriptions/s1id1234-5679-0123-4567-890123456789/resourceGroups/testresourcegroup/providers/Microsoft.Network/networkSecurityGroups/testnsg -StorageAccountId /subscriptions/s1id1234-5679-0123-4567-890123456789/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -Category networksecuritygroupevent,networksecuritygrouprulecounter -Enabled $true -RetentionEnabled $true -RetentionInDays 90 |
69 | 61 | ``` |
70 | 62 |
|
71 | 63 | | Property | Required | Description | |
72 | 64 | | --- | --- | --- | |
73 | 65 | | ResourceId |Yes |Resource ID of the resource on which you want to set a diagnostic setting. | |
74 | 66 | | StorageAccountId |No |Resource ID of the Storage Account to which Diagnostic Logs should be saved. | |
75 | | -| Categories |No |Comma-separated list of log categories to enable. | |
| 67 | +| Category |No |Comma-separated list of log categories to enable. | |
76 | 68 | | Enabled |Yes |Boolean indicating whether diagnostics are enabled or disabled on this resource. | |
77 | 69 | | RetentionEnabled |No |Boolean indicating if a retention policy are enabled on this resource. | |
78 | 70 | | RetentionInDays |No |Number of days for which events should be retained between 1 and 2147483647. A value of zero stores the logs indefinitely. | |
|
0 commit comments