Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Guest-Level Diagnostics for Virtual Machines

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-018

Ensure that Guest-Level Diagnostics feature is enabled for your Azure virtual machines (VMs) in order to gather diagnostic data useful to create notification alerts and get vital information about the state of your VM applications using advanced metrics.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Performance
efficiency

Microsoft Azure Monitoring service collects host-level metrics such as CPU usage, disk and network usage for all virtual machines without any additional software. For more insight into the state of your virtual machines, you can collect guest-level metrics, logs and other diagnostic data using the Guest-Level Diagnostics feature. Once you enable this monitoring feature, a diagnostics agent is installed on the selected virtual machine and a set of extended metrics are added to collect usage data every minute. The data collected can be used to find usage trends and anomalies, set custom alerts for CPU and memory disk utilization limits, as well as providing information that you can use to control your Azure costs by sizing the virtual machine according to its usage.

Audit

To determine if your Azure virtual machines (VMs) are configured to use Guest-Level Diagnostics, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines launched within the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the navigation panel, under Monitoring, select Diagnostic settings to access the Guest-Level Diagnostics feature configuration and metrics, implemented for the selected VM. If there are no configuration details listed and no metrics, instead the Enable guest-level monitoring button is displayed, the Guest-Level Diagnostics feature is not enabled for the selected Microsoft Azure virtual machine.

07 Repeat step no. 5 and 6 for each Azure virtual machine available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) deployed in the current Azure subscription: 

az vm list
    --query '[*].id'

02 The command output should return the requested Azure virtual machine ID(s): 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-vm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-warehouse-app-vm"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter, to describe the Guest-Level Diagnostics feature configuration and metrics set for the selected VM: 

az vm show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-vm"
    --query '{"GuestLevelDiagnosticsConfig": resources[*].settings.ladCfg.diagnosticMonitorConfiguration}'

04 The command output should return the requested feature configuration information: 

{
  "GuestLevelDiagnosticsConfig": []
}

If the command output returns [] as the value for the "GuestLevelDiagnosticsConfig" attribute, as shown in the example above, the requested configuration details and usage metrics are missing, therefore the Guest-Level Diagnostics feature is not enabled for the selected Microsoft Azure virtual machine.

05 Repeat step no. 3 and 4 for every Azure virtual machine available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable OS guest-level monitoring for your Microsoft Azure virtual machines, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to reconfigure (see Audit section part I to identify the right resource).

06 In the navigation panel, under Monitoring, select Diagnostic settings to access the Guest-Level Diagnostics feature page.

07 On the Diagnostic settings page, perform the following commands:

  1. Select the Overview tab available under the dashboard top menu.
  2. Choose the name of the storage account where the diagnostic data will be sent from Pick a storage account dropdown list.
  3. Click Enable guest-level monitoring button to enable the Guest-Level Diagnostics feature for the selected Azure virtual machine. It can take up to 10 minutes for the feature to become active. During this time a status message, i.e. "Updating diagnostic settings...", will be displayed on the settings page. Once Guest-Level Diagnostics is enabled, click Save to save the default configuration set for the feature by the Azure Monitoring service.

08 Repeat steps no. 5 – 8 to enable Guest-Level Diagnostics feature for other Azure virtual machines provisioned in the selected subscription.

09 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure Portal

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription: 

az storage account list
    --query '[*].name'

02 The command output should return the requested identifiers/names. The storage account resource names will be used later to enable Guest-Level Diagnostics for your virtual machines: 

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234"
]

03 Run vm diagnostics get-default-config command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure (see Audit section part II to identify the right resource) and the name of the storage account that will hold the diagnostic data (returned at the previous step) as identifier parameters, to obtain the default diagnostic configuration settings that the Azure Monitoring service provides for the selected VM and save them to a variable named "$default_config" (the command does not return an output): 

default_config=$(az vm diagnostics get-default-config \
    | sed "s#__DIAGNOSTIC_STORAGE_ACCOUNT__#abcd1234abcd1234abcd1234#g" \
    | sed "s#__VM_OR_VMSS_RESOURCE_ID__#/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-vm#g")

04 Run vm diagnostics set command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure as identifier parameter and the variable created at the previous step as value for the --settings parameter, i.e. "$default_config", to enable Guest-Level Diagnostics feature for the selected Azure virtual machine (the command does not produce an output): 

az vm diagnostics set
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-vm"
    --settings "$default_config"

05 Repeat step no. 3 and 4 to enable Guest-Level Diagnostics feature for other Azure virtual machines available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Nov 28, 2019

Related VirtualMachines rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Guest-Level Diagnostics for Virtual Machines

Risk Level: Medium