|
| 1 | +--- |
| 2 | +title: Configure Vault Diagnostics settings at scale |
| 3 | +description: Configure Log Analytics Diagnostics settings for all vaults in a given scope using Azure Policy |
| 4 | +ms.topic: conceptual |
| 5 | +ms.date: 02/14/2020 |
| 6 | +--- |
| 7 | +# Configure Vault Diagnostics settings at scale |
| 8 | + |
| 9 | +The reporting solution provided by Azure Backup leverages Log Analytics (LA). For the data of any given vault to be sent to LA, a [diagnostics setting](https://aka.ms/AzureBackupDiagnosticsDocs) needs to be created for that vault. |
| 10 | + |
| 11 | +Often, adding a diagnostics setting manually per vault can be a cumbersome task. In addition, any new vault created also needs to have diagnostics settings enabled in order to be able to view reports for this vault. |
| 12 | + |
| 13 | +To simplify the creation of diagnostics settings at scale (with LA as the destination), Azure Backup provides a built-in [Azure Policy](https://docs.microsoft.com/azure/governance/policy/). This policy adds an LA diagnostics setting to all vaults in a given subscription or resource group. The following sections provide instructions on how to use this policy. |
| 14 | + |
| 15 | +## Supported Scenarios |
| 16 | + |
| 17 | +* The policy can be applied at one time to all Recovery Services vaults in a particular subscription (or to a resource group within the subscription). The user assigning the policy needs to have 'Owner' access to the subscription to which the policy is assigned. |
| 18 | + |
| 19 | +* The LA Workspace as specified by the user (to which diagnostics data will be sent to) can be in a different subscription from the vaults to which the policy is assigned. The user needs to have 'Reader', 'Contributor' or 'Owner' access to the subscription in which the specified LA Workspace exists. |
| 20 | + |
| 21 | +* Management Group scope is currently unsupported. |
| 22 | + |
| 23 | +* The built-in policy is currently not available in national clouds. |
| 24 | + |
| 25 | +## Assigning the built-in policy to a scope |
| 26 | + |
| 27 | +To assign the policy for vaults in the required scope, follow the steps below: |
| 28 | + |
| 29 | +1. Sign in to the Azure portal and navigate to the **Policy** Dashboard. |
| 30 | +2. Select **Definitions** in the left menu to get a list of all built-in policies across Azure Resources. |
| 31 | +3. Filter the list for **Category=Monitoring**. Locate the policy named **[Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories**. |
| 32 | + |
| 33 | + |
| 34 | + |
| 35 | +4. Click on the name of the policy. You will be redirected to the detailed definition for this policy. |
| 36 | + |
| 37 | + |
| 38 | + |
| 39 | +5. Click on the **Assign** button at the top of the blade. This redirects you to the **Assign Policy** blade. |
| 40 | + |
| 41 | +6. Under **Basics**, click on the three dots next to the **Scope** field. This opens up a right context blade where you can select the subscription for the policy to be applied on. You can also optionally select a resource group, so that the policy is applied only for vaults in a particular resource group. |
| 42 | + |
| 43 | + |
| 44 | + |
| 45 | +7. Under **Parameters**, enter the following information: |
| 46 | +* **Profile Name** - The name that will be assigned to the diagnostics settings created by the policy. |
| 47 | +* **Log Analytics Workspace** - The Log Analytics Workspace to which the diagnostics setting should be associated. Diagnostics data of all vaults in the scope of the Policy assignment will be pushed to the specified LA Workspace. |
| 48 | + |
| 49 | +* **Exclusion Tag Name (optional) and Exclusion Tag Value (optional)** - You can choose to exclude vaults containing a certain tag name and value from the policy assignment. For example, if you do **not** want a diagnostics setting to be added to those vaults which have a tag 'isTest' set to the value 'yes', you must enter 'isTest' in the **Exclusion Tag Name** field and 'yes' in the **Exclusion Tag Value** field. If any (or both) of these two fields are left empty, the policy will be applied to all relevant vaults irrespective of the tags they contain. |
| 50 | + |
| 51 | + |
| 52 | + |
| 53 | +8. **Create a remediation task** - Once the policy is assigned to a scope, any new vaults created in that scope automatically get LA diagnostics settings configured (within 30 minutes from the time of creation of the vault). To add a diagnostics setting to existing vaults in the scope, you can trigger a remediation task at policy assignment time. To trigger a remediation task, select the checkbox **Create a Remediation task**. |
| 54 | + |
| 55 | + |
| 56 | + |
| 57 | +9. Navigate to the **Review+Create** tab and click **Create**. |
| 58 | + |
| 59 | +## Under what conditions will the remediation task apply to a vault? |
| 60 | + |
| 61 | +The remediation task is applied to vaults that are non-compliant according to the definition of the policy. A vault is non-compliant if it satisfies either of the following conditions: |
| 62 | + |
| 63 | +* No diagnostics setting is present for the vault. |
| 64 | +* Diagnostic settings are present for the vault but neither of the settings has **all of** the Resource specific events enabled with LA as destination, and **Resource specific** selected in the toggle. |
| 65 | + |
| 66 | +So even if a user has a vault with the AzureBackupReport event enabled in AzureDiagnostics mode (which is supported by Backup Reports), the remediation task will still apply to this vault, since the Resource specific mode is the recommended way of creating diagnostics settings, [going forward](https://aka.ms/AzureBackupDiagnosticsDocs#legacy-event). |
| 67 | + |
| 68 | +Further, if a user has a vault with only a subset of the six Resource specific events enabled, the remediation task will apply for this vault, since Backup Reports will work as expected only if all of the six Resource specific events are enabled. |
| 69 | + |
| 70 | +> [!NOTE] |
| 71 | +> |
| 72 | +> If a vault has an existing diagnostics setting with a **subset of Resource specific** categories enabled, configured to send data to a particular LA Workspace, say 'Workspace X', then the remediation task will fail (for that vault alone) if the destination LA Workspace provided in the Policy assignment is the **same** 'Workspace X'. |
| 73 | +> |
| 74 | +>This is because, if the events enabled by two different diagnostics settings on the same resource **overlap** in some form, then the settings cannot have the same LA Workspace as the destination. You will have to manually resolve this failure, by navigating to the relevant vault and configuring a diagnostics setting with a different LA Workspace as the destination. |
| 75 | +> |
| 76 | +> Note that the remediation task will **not** fail if the existing diagnostics setting as only AzureBackupReport enabled with Workspace X as the destination, since in this case, there will be no overlap between the events enabled by the existing setting and the events enabled by the setting created by the remediation task. |
| 77 | +
|
| 78 | +## Next Steps |
| 79 | +- [Learn how to use Backup Reports](https://aka.ms/AzureBackupReportDocs) |
| 80 | +- [Learn more about Azure Policy](https://docs.microsoft.com/azure/governance/policy/) |
| 81 | +- [Use Azure Policy to auto-enable backup for all VMs in a give scope](https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup) |
0 commit comments