Azure Diagnostic Settings “category Group” argument is not available

ashutoshrathore · June 20, 2022, 1:02pm

resource "azurerm_logic_app_workflow" "workflow" {
  name                = "test-secops-workflow"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_monitor_diagnostic_setting" "logicapp" {
  name               = "Logs to Central Storage account"
  target_resource_id = azurerm_logic_app_workflow.workflow.id
  storage_account_id = azurerm_storage_account.storagesecops.id

  log {
    category = "allLogs"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }

}

Above code fails, diagnostic settings does not support category group. Below is the error:

insights.DiagnosticSettingsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 – Original Error: autorest/azure: Service returned an error. Status=400 Code=“BadRequest” Message="Category ‘allLogs’ is not supported.

ashutoshrathore · July 4, 2022, 9:49am

@hcrhall Could you please help me out here?

hcrhall · July 4, 2022, 9:07pm

It looks like you are using the wrong category for the azurerm_logic_app_workflow resource. You can determine which categories are supported by using the azurerm_monitor_diagnostic_categories data source.

Hope this helps.

ashutoshrathore · July 5, 2022, 4:31pm

@hcrhall , I have attached a screenshot of allowed log categories and metrics. In my case I want to enable the log category groups “allLogs” and like we have argument for “categories”, I cannot find argument for “category groups” in terraform resource.
Hope I am clear.

Screenshot 2022-07-05 215130

hcrhall · July 6, 2022, 3:39am

Reading the docs, it appears that choosing the WorkflowRuntime is the same as choosing allLogs.

My understanding is that allLogs is a shortcut for selecting each of the available categories. Since there is only one category available, you can simply change the configuration to the following:

resource "azurerm_monitor_diagnostic_setting" "logicapp" {
  name               = "Logs to Central Storage account"
  target_resource_id = azurerm_logic_app_workflow.workflow.id
  storage_account_id = azurerm_storage_account.storagesecops.id

  log {
    category = "WorkflowRuntime"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }

ashutoshrathore · July 12, 2022, 9:50am

Thankyou so much, it helped me to understand how to achieve it. I will be calling all the categories which are under that category group instead of directly calling group!

365livelabs · January 9, 2023, 6:52pm

@hcrhall, In case of Keyvault, it has 2 categories-
AuditEvent and AzurePolicyEvaluationDetails Key vault

If my goal is to capture all the logs(allLogs) should I include both the categories in my code ?

If that is the case for each resource type(example: keyvault, nsg, vNet, etc.) I will have to create one “azurerm_monitor_diagnostic_setting” with different categories.

Please correct me if I am wrong.

Thank you.