azureazure-rm-templateazure-log-analyticsactivity-monitor

How to connect Azure Activity Monitor to Log Analytics Workspace via ARM template


How do I connect Azure Activity Logs to a Log Analytics workspace using an ARM template? I can connect it via the portal:

enter image description here

Or using powershell.

But I've searched far and wide and can't find documentation on how to do this with an ARM template (or whether it's currently possible).

I've also tried creating the connection and viewing the resource structure in the azure resource explorer (and by fetching the resource in powershell), but there's no difference in the json before and after making the connection

UPDATE:

I tried an arm template deployment based on this documentation, which I applied like this:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "resources": [
        {
            "name": "my-loganalytics-workspace-name/AzureActivityLog",
            "type": "Microsoft.OperationalInsights/workspaces/dataSources",
            "apiVersion": "2015-11-01-preview",
            "tags": {},
            "properties": {},
            "kind": "AzureActivityLog"
        }
    ]
}

But it the deployment doesn't complete (has been running for 30 minutes) and has a vague error:

{
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxxxxxx/resourceGroups/my-resource-group/providers/Microsoft.Resources/deployments/template/operations/A886A53AFF9B2E6C",
    "operationId": "A886A53AFF9B2E6C",
    "properties": {
        "provisioningOperation": "Create",
        "provisioningState": "Running",
        "timestamp": "2019-03-25T13:54:32.2320046Z",
        "duration": "PT21M58.8224235S",
        "trackingId": "47915902-f795-482a-a408-de408cd78a30",
        "serviceRequestId": "8c153090-c33d-4819-b9c4-8226df6a861e",
        "statusCode": "InternalServerError",
        "statusMessage": {
            "Message": "An error has occurred."
        },
        "targetResource": {
            "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxxxxxx/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-log-analytics-workspace/dataSources/AzureActivityLog",
            "resourceType": "Microsoft.OperationalInsights/workspaces/dataSources",
            "resourceName": "my-log-analytics-workspace/AzureActivityLog"
        }
    }
}

Solution

  • I found a working example template here.

    So my original template needed a different name (must include the subscriptionId) and a linkedResourceId in the properties:

    {
        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {},
        "resources": [
            {
                "name": "[concat('my-loganalytics-workspace-name', '/', subscription().subscriptionId)]",
                "type": "Microsoft.OperationalInsights/workspaces/dataSources",
                "apiVersion": "2015-11-01-preview",
                "tags": {},
                "properties": {
                    "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]"
                },
                "kind": "AzureActivityLog"
            }
        ]
    }