如何通过 Azure 策略审核诊断设置中的日志记录类别?
How to audit logging categories in Diagnostic settings via Azure policy?
我有一项政策,当不存在针对特定 Azure 服务的具有特定配置的诊断设置时进行审核。这将应用于多个服务(事件中心、Key Vault、Postgres 单一服务器),以确保预定义的日志记录配置到位。
我面临的问题是审计在每个诊断设置中选择了特定的日志记录类别。以 Postgres 为例,它具有以下日志记录类别:
- PostgreSQL 日志
- QueryStoreRuntimeStatistics
- QueryStoreWaitStatistics
并说我只想强制在我的 DS 中选择“PostgreSQLLogs”。使用策略别名“Microsoft.Insights/diagnosticSettings/logs[*].enabled”这意味着配置如下:[true, false, false]。因此,这是我应该在我的策略中设置的值,以审计它的合规性。但是无论我在策略中尝试哪个值,Azure 都不会接受或者不满足我的 objective.
以下是我的保单规则代码:
"policyRule": {
"if": {
"equals": "Microsoft.DBforPostgreSQL/servers",
"field": "type"
},
"then": {
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[ true, false, false ]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
"equals": "['PostgreSQLLogs']"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"matchInsensitively": "[parameters('my_logAnalytics')]"
}
]
}
},
"effect": "AuditIfNotExists"
}
在门户中保存时生成此错误:
readyState: 4
responseText: {"error":{"code":"InvalidPolicyParameters","message":"A function or parameter in policy 'e8b95433-42c5-4ed4-8a0c-1e7ad5ac2572' could not be validated. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Unable to parse language expression ' true, false, false ': expected token 'LeftParenthesis' and actual 'Comma'.'."}}
status: 400
statusText: error
引用数组的元素会引发同样的错误:
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[ 'true','false','false' ]"
},
当我尝试这样的事情时,它会被接受:
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[ 'true' ]"
},
但这不是我要找的,因为它将我的资源标记为不符合以下消息(请参阅 screenshot):
Reason for non-compliance: Current value must be equal to the target value
Field: Microsoft.Insights/diagnosticSettings/logs[*].enabled
Path: properties.logs[*].enabled
Current value: [true,false,false]
Target value: "true"
如果我没理解错的话,你想检查logs数组的每个值,当.category是PostgresSQLLogs时,测试.enabled是否是true .
您确实需要在此处使用 count -“这会评估条件表达式的每个 [*] 别名数组成员并对真实结果求和”。您可以在条件中使用复杂的表达式:
"existenceCondition": {
"allOf": [
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/logs[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "True"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
"equals": "PostgresSQLLogs"
}
]
}
},
"greater": 0
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"matchInsensitively": "[parameters('my_logAnalytics')]"
}
]
}
对于其他类别值,您需要在外部 "allOf" 内使用类似的计数块。
我有一项政策,当不存在针对特定 Azure 服务的具有特定配置的诊断设置时进行审核。这将应用于多个服务(事件中心、Key Vault、Postgres 单一服务器),以确保预定义的日志记录配置到位。
我面临的问题是审计在每个诊断设置中选择了特定的日志记录类别。以 Postgres 为例,它具有以下日志记录类别:
- PostgreSQL 日志
- QueryStoreRuntimeStatistics
- QueryStoreWaitStatistics
并说我只想强制在我的 DS 中选择“PostgreSQLLogs”。使用策略别名“Microsoft.Insights/diagnosticSettings/logs[*].enabled”这意味着配置如下:[true, false, false]。因此,这是我应该在我的策略中设置的值,以审计它的合规性。但是无论我在策略中尝试哪个值,Azure 都不会接受或者不满足我的 objective.
以下是我的保单规则代码:
"policyRule": {
"if": {
"equals": "Microsoft.DBforPostgreSQL/servers",
"field": "type"
},
"then": {
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[ true, false, false ]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
"equals": "['PostgreSQLLogs']"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"matchInsensitively": "[parameters('my_logAnalytics')]"
}
]
}
},
"effect": "AuditIfNotExists"
}
在门户中保存时生成此错误:
readyState: 4 responseText: {"error":{"code":"InvalidPolicyParameters","message":"A function or parameter in policy 'e8b95433-42c5-4ed4-8a0c-1e7ad5ac2572' could not be validated. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Unable to parse language expression ' true, false, false ': expected token 'LeftParenthesis' and actual 'Comma'.'."}} status: 400 statusText: error
引用数组的元素会引发同样的错误:
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[ 'true','false','false' ]"
},
当我尝试这样的事情时,它会被接受:
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[ 'true' ]"
},
但这不是我要找的,因为它将我的资源标记为不符合以下消息(请参阅 screenshot):
Reason for non-compliance: Current value must be equal to the target value
Field: Microsoft.Insights/diagnosticSettings/logs[*].enabled
Path: properties.logs[*].enabled
Current value: [true,false,false]
Target value: "true"
如果我没理解错的话,你想检查logs数组的每个值,当.category是PostgresSQLLogs时,测试.enabled是否是true .
您确实需要在此处使用 count -“这会评估条件表达式的每个 [*] 别名数组成员并对真实结果求和”。您可以在条件中使用复杂的表达式:
"existenceCondition": {
"allOf": [
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/logs[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "True"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
"equals": "PostgresSQLLogs"
}
]
}
},
"greater": 0
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"matchInsensitively": "[parameters('my_logAnalytics')]"
}
]
}
对于其他类别值,您需要在外部 "allOf" 内使用类似的计数块。