Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🪲 Bug Report - Deploy Diagnostic Settings for Firewall to Log Analytics workspace #985

Closed
neok-g opened this issue Jun 7, 2022 · 5 comments · Fixed by #992
Closed

🪲 Bug Report - Deploy Diagnostic Settings for Firewall to Log Analytics workspace #985

neok-g opened this issue Jun 7, 2022 · 5 comments · Fixed by #992
Assignees
@jtracey93
Labels
bug Something isn't working engineering engineering work enhancement New feature or request policy Status: Fixed

Comments

@neok-g
Copy link

neok-g commented Jun 7, 2022

Describe the bug

I noticed that the following Enterprise Scale policy definition remains non-compliant after a remediation task has run:

Deploy Diagnostic Settings for Firewall to Log Analytics workspace

To Reproduce

Steps to reproduce the behaviour:

  1. Deploy the Enterprise Scale policy definitions/initiatives
  2. Create a policy assignment for the policy initiative 'Deploy Diagnostic Settings to Azure Services'
  3. Create an Azure firewall
  4. After a while the Azure firewall instance appears in policy compliance overview as non-compliant
  5. Create a remediation task for the policy Deploy Diagnostic Settings for Firewall to Log Analytics workspace.
  6. A diagnostic setting is created but the Azure firewall remains non-compliant

Expected behaviour

Diagnostic Setting should be created for Azure firewall and Azure firewall should be compliant

Screenshots 📷

If applicable, add screenshots to help explain your problem. Please feel free to blur/cover any sensitive information.

image

Correlation ID

A correlation ID really helps us investigate your issue further. Please provide one if possible. Details on how to find a correlation ID can be found here: Correlation ID and support

Additional context

Anything else we should know to help us troubleshoot this bug?
@neok-g neok-g added the bug Something isn't working label Jun 7, 2022
@ghost ghost added the Needs: Triage 🔍 Needs triaging by the team label Jun 7, 2022
@jtracey93 jtracey93 transferred this issue from Azure/ALZ-Bicep Jun 7, 2022
@neok-g
Copy link
Author

neok-g commented Jun 16, 2022

Any update on this one?

@jtracey93
Copy link
Collaborator

Hey @neok-g,

I will try and repro this today and then look at what fix is needed

@jtracey93
Copy link
Collaborator

Have deployed both AzFw Premium and Standard and have seen the following missing log categories causing this non-compliance
image

We will investigate and update the policy definition

@jtracey93 jtracey93 added enhancement New feature or request engineering engineering work bug Something isn't working and removed Needs: Triage 🔍 Needs triaging by the team bug Something isn't working labels Jun 16, 2022
@jtracey93 jtracey93 linked a pull request Jun 16, 2022 that will close this issue
Update Diagnostic Policies For AVD, Azure Firewall, APIM, Bastion, Machine Learning Workspaces & Fix Storage SSL Enforcement & ML Cluster Remote Login #992
Merged
6 tasks
@jtracey93 jtracey93 mentioned this issue Jun 16, 2022
Merged
6 tasks
@jtracey93 jtracey93 self-assigned this Jun 16, 2022
@neok-g
Copy link
Author

neok-g commented Jun 17, 2022

I can confirm the first 3 log categories are set on my side as well.
The policy uses existenceCondtion:

      "existenceCondition": {
        "allOf": [
          {
            "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
            "equals": "[parameters('logAnalytics')]"
          }
        ]
      },

For my understanding if one of the log categories is disabled (false) then the overall Microsoft.Insights/diagnosticSettings/logs.enabled will be false and so the policy remains non-compliant? Is that how it works?

@jtracey93
Copy link
Collaborator

Correct, there are also a number of other categories to be added to the definition that I have fixed and will merge later today on PR #992

@ghost ghost added the Status: Fixed label Jun 17, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Jul 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jtracey93 jtracey93

Labels
bug Something isn't working engineering engineering work enhancement New feature or request policy Status: Fixed
Projects
None yet
Milestone
No milestone
2 participants
@neok-g @jtracey93