Ensure that a Log Profile exists

Enable log profile for exporting activity logs.

Risk Level: Low
Cloud Entity: Log Profile
CloudGuard Rule ID: D9.AZU.LOG.07
Covered by Spectral: No
Category: Global

GSL LOGIC

List<LogProfile> should have items

REMEDIATION

From Portal

  1. Go to Activity log
  2. Click on Export
  3. Configure the Diagnostic settings
  4. Click on Save

From TF
Set the 'name', 'category', 'location' arguments under 'azurerm_monitor_log_profile' as below:

resource "azurerm_monitor_log_profile" "example" {
	..
	name = "default"
	categories = "Delete/Action/Write"
	locations = "LIST_OF_REGIONS"
	..
}

From Command Line
Run

az monitor log-profiles create --categories CATEGORY --days NUMBEROFDAYS --enabled true --location LOCATION --locations LIST_OF_REGIONS --name MYLOGPROFILE --storage-account-id STORAGEACCOUNTID

References

  1. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#work-with-legacy-settings
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#name
  3. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli
  4. https://learn.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az-monitor-log-profiles-create

Log Profile

The Azure activity log captures control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Log Profile defines the type of events that are stored or streamed and the outputs���storage account and/or event hub. The Log Profile, if configured properly, can ensure that all activity logs are retained for longer dur

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure ITSG-33