I am trying to create a custom activity log alert rule, but no matter which method I try, it results in errors as below or the ARM template does not create the conditions specified even though its successful and cannot figure out what I need to do:
PowerShell code:
$RG = "Lab"
$location = 'Global'
$alertName = "Test Storage Account Administrative Operations"
$scope = "/subscriptions/[subID]/[RG]/providers/Microsoft.Storage/storageAccounts/staccountname"
$condition1 = New-AzActivityLogAlertCondition -Field 'Category' -Equal 'Administrative'
$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Storage/storageAccounts/blobServices/containers/write'
$dict = New-Object "System.Collections.Generic.Dictionary``2[System.String,System.String]"
$dict.Add('key1', 'Value1')
$actionGrp1 = New-AzActionGroup -ActionGroupId $actiongroupid -WebhookProperty $dict
set-AzActivityLogAlert -Location $location -Name $alertname -ResourceGroupName $rg -Scope $scope -Action $actionGrp1 -Condition $condition1, $condition2
PowerShell Error:
WARNING: 10:16:40 - *** The namespace for all the model classes will change from Microsoft.Azure.Management.Monitor.Management.Models to Microsoft.Azure.Management.Monitor.Models in future releases.
WARNING: 10:16:40 - *** The namespace for output classes will be uniform for all classes in future releases to make it independent of modifications in the model classes.
Set-AzActivityLogAlert:
Line |
12 | set-AzActivityLogAlert -Location $location -Name $alertname -Resource …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Exception type: ErrorResponseException, Message: Microsoft.Azure.Management.Monitor.Models.ErrorResponseException: Operation returned an invalid status code 'BadRequest'
at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperations.CreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.CreateOrUpdateAsync(IActivityLogAlertsOperations operations, String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert, CancellationToken cancellationToken)
at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.CreateOrUpdate(IActivityLogAlertsOperations operations, String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert)
at Microsoft.Azure.Commands.Insights.ActivityLogAlert.SetAzureRmActivityLogAlertCommand.ProcessRecordInternal()
at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason phrase: Null
ARM template code:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"activityLogAlertName": {
"defaultValue": "Test1",
"type": "String",
"metadata": {
"description": "Unique name (within the Resource Group) for the Activity log alert."
}
},
"activityLogAlertEnabled": {
"defaultValue": true,
"type": "Bool",
"metadata": {
"description": "Indicates whether or not the alert is enabled."
}
},
"actionGroupResourceId": {
"defaultValue": "/subscriptions/[subID]]/resourceGroups/FLab/providers/microsoft.insights/actionGroups/actiongroup2",
"type": "String",
"metadata": {
"description": "Resource Id for the Action group."
}
},
"condition1": {
"defaultValue": "Administrative",
"type": "String",
"metadata": {
"description": "condition value"
}
},
"condition2": {
"defaultValue": "Microsoft.Storage/storageAccounts/blobServices/containers/write",
"type": "String",
"metadata": {
"description": "condition value"
}
},
"condition3": {
"defaultValue": "Microsoft.Storage/storageAccounts/blobServices/containers",
"type": "String",
"metadata": {
"description": "condition value"
}
},
"condition4": {
"defaultValue": "Succeeded",
"type": "String",
"metadata": {
"description": "condition value"
}
},
"condition5": {
"defaultValue": "Created",
"type": "String",
"metadata": {
"description": "condition value"
}
}
},
"resources": [
{
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('activityLogAlertName')]",
"location": "Global",
"properties": {
"enabled": "[parameters('activityLogAlertEnabled')]",
"scopes": [
"[subscription().id]"
],
"condition": {
"allOf": [
{
"field": "Category",
"equals": "[parameters('condition1')]"
},
{
"field": "operationName",
"equals": "[parameters('condition2')]"
},
{
"field": "resourceType",
"equals": "[parameters('condition3')]"
},
{
"field": "Status",
"equals": "[parameters('condition4')]"
},
{
"field": "subStatus",
"equals": "[parameters('condition5')]"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "[parameters('actionGroupResourceId')]"
}
]
}
}
}
]
}
ARM template result:
Automation account runbook:
$RG = "Lab"
$location = 'Global'
$alertName = "Test Storage Account Administrative Operations"
$scope = "/subscriptions/[subID]/[RG]/providers/Microsoft.Storage/storageAccounts/staccountname"
$condition1 = New-AzActivityLogAlertCondition -Field 'Category' -Equal 'Administrative'
$condition2 = New-AzActivityLogAlertCondition -Field 'operationName' -Equal 'Microsoft.Storage/storageAccounts/blobServices/containers/write'
$dict = New-Object "System.Collections.Generic.Dictionary``2[System.String,System.String]"
$dict.Add('key1', 'Value1')
$actionGrp1 = New-AzActionGroup -ActionGroupId $actiongroupid -WebhookProperty $dict
set-AzActivityLogAlert -Location $location -Name $alertname -ResourceGroupName $rg -Scope $scope -Action $actionGrp1 -Condition $condition1, $condition2
Automation Account error:
10:27:45 AM - *** The namespace for all the model classes will change from
Microsoft.Azure.Management.Monitor.Management.Models to Microsoft.Azure.Management.Monitor.Models in future releases.
10:27:45 AM - *** The namespace for output classes will be uniform for all classes in future releases to make it
independent of modifications in the model classes.
set-AzActivityLogAlert : Exception type: MissingMethodException, Message: System.MissingMethodException: Method not
found: 'System.String
Microsoft.WindowsAzure.Commands.Utilities.Common.GeneralUtilities.GetLog(System.Net.Http.HttpRequestMessage)'.
at Microsoft.Azure.Commands.ResourceManager.Common.ServiceClientTracingInterceptor.SendRequest(String invocationId,
HttpRequestMessage request)
at Microsoft.Rest.ServiceClientTracing.SendRequest(String invocationId, HttpRequestMessage request)
at
Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperations.<CreateOrUpdateWithHttpMessagesAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.<CreateOrUpdateAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at
Microsoft.Azure.Management.Monitor.ActivityLogAlertsOperationsExtensions.CreateOrUpdate(IActivityLogAlertsOperations
operations, String resourceGroupName, String activityLogAlertName, ActivityLogAlertResource activityLogAlert)
at Microsoft.Azure.Commands.Insights.ActivityLogAlert.SetAzureRmActivityLogAlertCommand.ProcessRecordInternal()
at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason phrase:
Null
At line:24 char:1
+ set-AzActivityLogAlert -Location $location -Name $alertname -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzActivityLogAlert], PSInvalidOperationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.ActivityLogAlert.SetAzureRmActivityLogAlertCommand
References:
set-azactivitylogalert method -
https://docs.microsoft.com/en-us/powershell/module/az.monitor/set-azactivitylogalert?view=azps-5.4.0
ARM template method -
Any help on this would be great!
OK I managed to figure out how to create this rule, only option that works is a JSON template deployment, my example below: