Ensure that Azure Monitor Activity Logs for your subscription are exported to an appropriate data store using diagnostic settings. Diagnostic settings improve on the legacy Log Profile method for exporting Activity Logs by providing better functionality and consistency with resource logs. The Azure activity log captures all management activities performed on a subscription. By default, the Azure Portal only retains activity logs for 90 days. To make sure that all activity events recorded for your subscription are retained for a longer duration, configure a diagnostic setting to export and archive the activity log to an Azure storage account or stream it to an Event Hub.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Diagnostic settings control how and where an Azure activity log is exported. A well configured diagnostic setting should allow your activity logs to be exported and stored for a longer period of time in order to be able to perform a better analysis of the activity recorded within your Azure subscription, to assist with security and compliance auditing.
Audit
To determine if there an appropriate diagnostic setting is configured for each Microsoft Azure subscription, perform the following operations:
Remediation / Resolution
To create and configure diagnostic settings (the new log profiles) for your Microsoft Azure subscriptions in order to archive your activity logs to a storage account, send them to a Log Analytics workspace, or stream them to an Azure Event Hub, perform the following operations:
References
- Azure Official Documentation
- Overview of Azure platform logs
- Diagnostic settings in Azure Monitor
- Legacy collection methods
- Managing legacy log profiles
- Azure Command Line Interface (CLI) Documentation
- az account list
- az monitor diagnostic-settings subscription list
- az monitor diagnostic-settings subscription create