To capture logs and metrics of most resources, you must add diagnostic settings. Click on the desired Azure service name for instructions on adding diagnostic settings.

• Azure Active Directory (AD)
• Azure Kubernetes Services (AKS)
• Azure App Services
• Azure Cognitive Services
• Azure Functions
• Azure SQL Database
• Azure SQL Managed Instances
• Azure Storage Account
• Azure Virtual Machines
• Create diagnostic settings at scale

Active Directory (AD)

1. Log into the Azure portal.
2. Search for the Active Directory in the search field.

3. Go to Monitoring and Diagnostic settings. Select Diagnostic setting.

4. Select the following options:

• Diagnostic setting name - Observe
• AuditLogs
• SignInLogs
• NonInteractiveUserSignInLogs
• ServicePrincipalSignInLogs
• ManagedIdentitySignInLogs
• ProvisioningLogs
• Stream to an event hub

5. Select the event hub created by the Observe collection function.
6. Click Save.

Azure Kubernetes Services (AKS)

1. Log into the Azure portal.
2. In the Azure search field, enter Kubernetes Services.

3. Choose the service you want to monitor.
4. From the menu, select Diagnostic Settings.

5. Click Add diagnostic setting.

6. Create a name for your setting. Select all of the metrics listed, then click Stream to an Event hub. Be sure to select the Event hub namespace and Event hub name with your Observe customer ID.

7. Click Save.

Azure App Services

1. Log into the Azure portal.
2. Search for the App Services in the search field and select the App Services.

3. Select the App Service you want to monitor.

4. Search for Diagnostic settings and select it.

5. Select Add diagnostic setting.

6. Select the following options:

• Diagnostic setting name - Observe
• HTTP logs
• App Service Console Logs
• App Service Application Logs
• Access Audit Logs
• IPSecurity Audit logs
• App Service Platform logs
• All Metrics
• Stream to an event hub

7. Select the event hub created by the Observe collection function.
8. Click Save.

If you have Application Insights enabled and want to get detailed info for your App Service:

1. Search for Application Insights and select it.

2. Click View Application Insights data.
3. Search for Diagnostic settings and select it.

4. Select Add diagnostic setting.
5. Select the following options:

• Diagnostic setting name - Observe
• All logs
• All Metrics
• Stream to an event hub

6. Select the event hub created by the Observe collection function.
7. Click Save.

Azure Cognitive Services

1. Log into the Azure portal.
2. Search for the Cognitive Services in the search field and select it.

3. Select the Cognitive Service Type you want to monitor.

4. Select the Cognitive Service you want to monitor.

5. Search for Diagnostic settings and select it.

6. Select Add diagnostic setting.

7. Select the following options:

• Diagnostic setting name - Observe
• All Logs
• All Metrics
• Stream to an event hub

8. Select the event hub created by the Observe collection function.
9. Click Save.

Azure Functions

1. Log into the Azure portal.
2. Search for the Function App in the search field and select the Function App.

3. Select the Function App you want to monitor.

4. Search for Diagnostic settings and select it.

5. Select Add diagnostic setting.

6. Select the following options:

• Diagnostic setting name - Observe
• Function Application Logs
• All Metrics
• Stream to an event hub

7. Select the event hub created by the Observe collection function.
8. Click Save.

Azure SQL Database

1. Log into the Azure portal.
2. In the Azure search field, enter SQL Database.
3. Select your database.

4. From the left menu, choose Diagnostic Settings and click Add diagnostic setting.

5. Choose all Logs, Audit Logs, and all Metrics. Send to the event hub with your customer ID.

6. Create a name for Diagnostic Setting and click Save.

Azure SQL Managed Instances

1. Log into the Azure portal.
2. In the Azure search field, enter SQL Managed Instances.
3. Select your SQL Managed Instance.

4. From the left menu, choose Diagnostic Settings and click Add diagnostic setting.

5. Select all Logs, Audit logs, and all Metrics. Send to event hub with your customer-id.

6. Create a name for the diagnostic setting and click Save.

Azure Storage Account

1. Log into the Azure portal.
2. Search for the Storage Accounts in the search field.

3. Go to the Monitoring section and select Diagnostic setting. This enables logs and metrics at the Storage Account level.

4. Select Add Diagnostics Settings.

5. Select Metrics -> Transaction and select the event hub created by the Observe collection function.
6. Click Save.
7. Go to the Monitoring and Diagnostic settings. Select Diagnostic setting. Select blob under the Storage Account.

8. Select Add Diagnostics Settings.
9. Select Metrics -> Transaction. Select Logs -> Categories -> StorageRead, StorageWrite, StorageDelete.
10. Select the event hub created by the Observe collection function.
11. Click Save.

Azure virtual machine

Currently, the Azure app collects this data using the timer_resources_func and timer_vm_metrics_func functions within the Observe Function app deployed. It does not require any diagnostic settings.

Create diagnostic settings at scale

Create Azure policies

If you want to create Diagnostic Settings for all resources of a resource type, you can configure an Azure Policy. Create custom policy definitions for each type of resource to monitor. Microsoft provides documentation on how to accomplish this.

Once you create the policies in your Azure account, Observe recommends creating a policy initiative, assigning the relevant policies, assigning that policy to a Management Group, and then adding your subscriptions to that management group.

Create a management group

1. Log into the Azure portal.
2. In the Azure search field, enter Management Groups.
3. Click Create.
4. Give the policy an ID such as observeDiagnosticSettings.
5. Set the policy display name such as Observe Diagnostic Settings.

6. Click Submit.

Populate the management group

Once you create the management group, you need to move any other management groups or subscriptions to apply under the Observe Diagnostic Settings management group. Use the following steps:

1. Log into the Azure portal.
2. In the Azure search field, enter Management Groups.
3. Click on the three dots on the right of the management group or subscription.
4. Click Move.
5. Select the Observe Diagnostic Settings management group as the destination.
6. Click Save.

Create an initiative

An initiative consists of a collection of one or more policies that allow for simpler policy management. To create an initiative, use the following steps:

1. Log into the Azure portal.
2. In the Azure search field, enter Policy.
3. Select Definitions from the left menu of the page.
4. Click Initiative Definition at the top of the page.
5. Choose the management group created in the previous step for Initiative location.
6. Set the name of the initiative to Send to Observe.
7. Set the category to Monitoring after selecting on Use existing.

8. Click Next.
9. Select all of the policies for the diagnostic settings for the resource types to monitor.
10. Click Initiative Parameters at the top of the page.
11. Click Create initiative parameter to create a new initiative parameter.
12. Create an initiative parameter called azureRegions. Set the type to array, and add a strong type of location. Add a default value, and then click Save.

13. Create an initiative parameter called eventHubName. Set the type to string, and give it a strong type of Generic - Microsoft.EventHub/Namespaces/EventHubs.
14. Select yes for Assign Permissions, and then click Save.

15. Create an initiative parameter called eventHubRuleId.
16. Set the type to string, and add a strong type of Generic - Microsoft.EventHub/Namespaces/AuthorizationRules.
17. Select Yes for Assign Permissions, and then click Save.

18. Create an initiative parameter called metricsEnabled.
19. Set the type to string, and then set the allowed value to ["True", "False"].
20. Set the default value to True and then click Save.

21. Create an initiative parameter called logsEnabled. Set the type to string, and set the allowed value to ["True", "False"].
22. Set the default value to True and then click Save.

23. Create an initiative parameter named profileName.
24. Set the type to string, and then set the default value to SendToObserve.
25. Click Save.

26. Navigate to the Policy Parameters section.
27. Clear the Only show parameters that need input or review checkbox.
28. Set every Value Type to Use Initiative Parameter and select the corresponding initiative parameter.

29. Click Review and then Create.

Assigning the Initiative

Assign the initiative to each region you want to monitor using the following steps:

1. Log into the Azure portal.
2. In the Azure search field, enter Policy.
3. Select Assignments.
4. Click Assign Initiative.
5. Choose the management group created in the previous step as the Scope.
6. Select the Send to Observe initiative created in the previous section.
7. Name the assignment Send to Observe - <location>.

8. Click Parameters.
9. Clear the Only show parameters that need input or review checkbox.
10. Select the region to deploy for the azureRegions parameter.
11. Select the eventhub name from the region.

12. Select the Eventhub authorization rule for the Eventhub.

13. Review the parameters.

14. Click Review + create and then Create.

Once you create the assignment, any new resources of the resource type automatically receive the diagnostic settings to send to Observe created a short period after you create the resource.

Remediation

To remediate non-compliant resources from the Azure portal, perform the following steps:

1. Log into the Azure portal.
2. In the Azure search field, enter Policy.
3. Click Remediation.
4. Find the policy for the resource type you want to remediate and click the 3 dots.
5. Click Remediate.
6. Click Remediate again on the Remediation page.

This creates the diagnostic settings for all of those resources sent to Observe.