Setup Azure Monitor logs#
When analyzing Azure resources, you may want to capture the results of each analysis run. Azure Monitor provides a central storage location for log data through Log Analytics workspaces. Centrally storing PSRule results enables the following scenarios:
- Auditing and reporting — Report on analysis pass or failures.
- Use Azure Monitor workbooks or custom queries to perform analysis and display results.
- Perform security analysis within Microsoft Azure Sentinel your a scalable, cloud-native SIEM. Alternatively, export log data from Log Analytics for ingestion into a third-party SIEM.
- Send notifications using alerts — Trigger alerts to send notifications.
- Integration with other workflows — Configure alerts and action groups to trigger integration.
Abstract
This topic covers setting up PSRule to log rule results into a Log Analytics workspace.
Logging into a Log Analytics workspace#
Logging of PSRule results into a workspace is done using the PSRule for Azure Monitor module. PSRule for Azure Monitor extends the PSRule pipeline to import results into the specified workspace.
Once configured, PSRule will log results into the PSRule_CL custom log table of the chosen workspace.
Info
Integration between PSRule and Azure Monitor is done by means of a convention. Conventions extend the pipeline to be able to upload results after rules have run.
Setting environment variables#
PSRule for Azure Monitor requires a Log Analytics workspace to import results into. To configure the workspace to import results to the following environment variables must be set.
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID- The unique ID (GUID) for the workspace to import results.PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY- Either the primary or secondary key of the workspace.
How to set these environment variables is covered in the next section for GitHub Actions and Azure Pipelines.
Tip
Both the workspace ID and keys can be found under the Agents management settings of the workspace.
Configuring your pipeline#
The convention that imports PSRule analysis results is not executed by default.
To enable, reference the Monitor.LogAnalytics.Import convention in your analysis pipeline.
With GitHub Actions#
Import analysis results into Azure Monitor with GitHub Actions by:
- Using the
PSRule.Monitormodule. - Referencing the
Monitor.LogAnalytics.Importconvention. - Configure secrets for
MONITOR_WORKSPACE_IDandMONITOR_WORKSPACE_KEY.
Install the latest stable module versions.
- name: Analyze Azure template files
uses: microsoft/ps-rule@v2.9.0
with:
modules: PSRule.Rules.Azure,PSRule.Monitor
conventions: Monitor.LogAnalytics.Import
env:
# Define environment variables using GitHub encrypted secrets
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}
Install the latest stable or pre-release module versions.
- name: Analyze Azure template files
uses: microsoft/ps-rule@v2.9.0
with:
modules: PSRule.Rules.Azure,PSRule.Monitor
conventions: Monitor.LogAnalytics.Import
prerelease: true
env:
# Define environment variables using GitHub encrypted secrets
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}
Important
Environment variables can be configured in the workflow or from a secret.
To keep MONITOR_WORKSPACE_KEY secure, use an encrypted secret.
With Azure Pipelines#
Import analysis results into Azure Monitor with Azure Pipelines by:
- Installing the PSRule extension, then using the
ps-rule-asserttask in pipeline steps. - Using the
PSRule.Monitormodule. - Referencing the
Monitor.LogAnalytics.Importconvention. - Configure variables for
MONITORWORKSPACEIDandMONITORWORKSPACEKEY.
Install the latest stable module versions.
- task: ps-rule-assert@2
displayName: Analyze Azure template files
inputs:
modules: PSRule.Rules.Azure,PSRule.Monitor
conventions: Monitor.LogAnalytics.Import
env:
# Define environment variables within Azure Pipelines
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)
Install the latest stable or pre-release module versions.
- task: ps-rule-install@2
displayName: Install PSRule for Azure (pre-release)
inputs:
module: PSRule.Rules.Azure
prerelease: true
- task: ps-rule-install@2
displayName: Install PSRule for Azure Monitor (pre-release)
inputs:
module: PSRule.Monitor
prerelease: true
- task: ps-rule-assert@2
displayName: Analyze Azure template files
inputs:
modules: PSRule.Rules.Azure,PSRule.Monitor
conventions: Monitor.LogAnalytics.Import
env:
# Define environment variables within Azure Pipelines
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)
PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)
Important
Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group.
To keep MONITORWORKSPACEKEY secure, use a variable group linked to an Azure Key Vault.
Samples#
Continue reading for some sample resources you can try once this integration is setup Azure Monitor integration.
Log Analytics Queries#
Results with annotations#
// Show extended info
PSRule_CL
| where TimeGenerated > ago(30d)
| extend Pillar = tostring(parse_json(Annotations_s).pillar)
| extend Link = tostring(parse_json(Annotations_s).["online version"])
Summarize results by run#
// Group by run
PSRule_CL
| where TimeGenerated > ago(30d)
| summarize Pass=countif(Outcome_s == "Pass"), Fail=countif(Outcome_s == "Fail") by RunId_s
Querying The Data#
Once the results have been published to the Log Analytics workspace, they can be queried by executing
results against the PSRule_CL table (under Custom Logs). For more information on how to write Log
Analytics querys, review the Log Analytics tutortial.
Workbook#
A sample Azure Monitor Workbook is available in the PSRule for Azure GitHub repository. This workbook can be imported directly into Azure Monitor and used as a foundation to build from. Review the Workbook creation tutorial for instructions on how to work with the sample Workbook.