1

Is there a way to configure Azure Activity logs to be forwarded to a Log Analytics instance using PowerShell? Essentially the same that can be performed using the Portal as outlined on this page: https://learn.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs#configuration

Felix Bodmer
  • 291
  • 2
  • 16

1 Answers1

1

You may use the PowerShell cmdlet New-AzureRmOperationalInsightsAzureActivityLogDataSource.

Illustration:

New-AzureRmOperationalInsightsAzureActivityLogDataSource -ResourceGroupName <LogAnalyticsOMSWorkspaceResourceGroupName> -WorkspaceName <LogAnalyticsOMSWorkspaceName> -Name <NameOfThisOperationalInsightsAzureActivityLogDataSource> -SubscriptionId <SubscriptionId>

For more information refer https://learn.microsoft.com/en-us/powershell/module/azurerm.operationalinsights/New-AzureRmOperationalInsightsAzureActivityLogDataSource?view=azurermps-6.13.0

Hope this helps!!

KrishnaG
  • 3,340
  • 2
  • 6
  • 16
  • Yes it does, thanks so much! Do you happen to know how I can connect the AAD logs? – Felix Bodmer Jan 07 '19 at 11:21
  • Check if the below Microsoft documentation links help to accomplish the ask regarding AAD logs. https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics and https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics – KrishnaG Jan 31 '19 at 11:05
  • Sorry, was wondering how to connect AAD logs to Log Analytics using PowerShell - not the porta. – Felix Bodmer Feb 01 '19 at 07:49
  • What value do I need to provide for the -Name parameter? The Microsoft documentation on this cmdlet is horrendous. – jschmitter Mar 23 '19 at 21:21
  • You may provide any string value for -Name parameter. It's mentioned in the same article i.e., https://learn.microsoft.com/en-us/powershell/module/azurerm.operationalinsights/New-AzureRmOperationalInsightsAzureActivityLogDataSource?view=azurermps-6.13.0 – KrishnaG Mar 24 '19 at 11:30
  • And the reason for that -Name parameter is, if you want to get and check already created Operational Insights Data Source(s) then you may use the cmdlet 'Get-AzureRmOperationalInsightsDataSource' as shown below and check if a Operational Insights Data Source(s) with particular name already exist or not. "Get-AzureRmOperationalInsightsDataSource -ResourceGroupName -WorkspaceName -Kind AzureActivityLog" I hope now it's clear and it helps!! Cheers!! – KrishnaG Mar 24 '19 at 11:30