Need powershell script to enable diagnostic logging for Storage account and Key vault

Question

I'm using below script to create a storage account, Key Vault and ADF. I would also like to enable diagnostic logging on both Storage account and Key Vault. Script runs fine and creates the resources however it does not enable the diagnostic logs for KV and Storage account. Would appreciate if you can help.

$subscription="Azure subscription 1"
$rgName = "Test"
$location = "eastus"
$storageaccountName = "tempaccountlogs"
$adfName = "tempdpadf"
$department = "Testtemp"
$kvname = "kvnamAkbt"

$sa = New-AzStorageAccount -ResourceGroupName $rgName -AccountName $storageaccountName -Location $location -SkuName Standard_LRS -Kind BlobStorage -AccessTier Hot -Tag @{department=$department}
$DataFactory = Set-AzDataFactoryV2 -Name $adfName -ResourceGroupName $rgName -Location $location -Tag @{chargecode=$chargeCode;department=$department;environment=$environment;project=$project}
$kv = New-AzKeyVault -VaultName $kvname -ResourceGroupName $rgName -Location $location


set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Categories AuditEvent
set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -RetentionEnabled $true -RetentionInDays 90

Answer 1

The problem with your script is that it gives error:

A parameter cannot be found that matches parameter name 'Categories'.

You are using "Categories" parameter instead of "Category". If you check this documentation correct parameter is -Category , use this as shown below:

set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Category AuditEvent
set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -RetentionEnabled $true -RetentionInDays 90

To enable logging for storage account, Please look at this documentation .

Answer 2

$diagname = "storage logs"
    
$ErrorActionPreference = "SilentlyContinue"
Import-Module -Name Az
    
Import-Csv "$home\azuresubscription.csv" |`
ForEach-Object{
        
    #CentralLogAnalytics
    $workspaceid = "your central logging resource id - exact object"
    Select-AzSubscription -Subscription $_.Name
    $storageAccounts = Get-AzStorageAccount | Select-Object Id

    foreach ($stor in $storageAccounts)
    {
        Set-AzDiagnosticSetting -Name $diagname -ResourceId $stor.Id -WorkspaceId $workspaceid -Enabled $true
    
        $blobid = -join($stor.id,"/blobServices/default")
        $fileid = -join($stor.id, "/fileServices/default")
        $queueid = -join($stor.id, "/queueServices/default")
        $tableid = -join($stor.id, "/tableServices/default")
    
        $resourcetypeid = @($blobid, $fileid, $queueid, $tableid)
        foreach ($item in $resourcetypeid)
        {
            Set-AzDiagnosticSetting -Name $diagname -ResourceId $item -WorkspaceId $workspaceid -Enabled $true 
        }        
    }
}

Prerequisite: The script expects a list of azure subscription in a CSV file. Putting in CSV is best to easy test in NonProd subscriptions. An object of the subscriptions can also be provided here.

Functionality: This will enable the metrics for blob, queue, file, and table and at the parent level as well.

Answer 3

You should include -WorkspaceId parameter in the cmd. See reference here .

My example which runs successfully:

set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Category AuditEvent -WorkspaceId {resource id of the Log Analytics workspace}

For how to create a Log Analytics workspace, please refer to Create workspace .

---

Update:

For how to enable diagnostic logs for ADF, please refer to this sample:

$ws = Get-AzOperationalInsightsWorkspace -Name "testLAW" -ResourceGroupName "test"
$DataFactory = Set-AzDataFactoryV2 -ResourceGroupName "test" -Name "testADF" -Location "WestUS"
set-AzDiagnosticSetting -ResourceId $DataFactory.DataFactoryId  -Enabled $true -WorkspaceId $ws.ResourceId