Forwarding Azure Backup and Recovery Events

Last updated on 17 February, 2023

LogicMonitor gathers data from Log Analytics workspaces in your Azure account. To support monitoring of Backup Protected Items or Recovery Protected Items services, you must forward diagnostic events from your Azure Recovery Service vault to a Log Analytics workspace. To do so:

  1. Determine the target Log Analytics workspace
  2. Forward backup events to Log Analytics
  3. Forward site recovery events to Log Analytics

Determine the Target Log Analytics Workspace

In Azure, the Log Analytics workspace retains the forwarded diagnostic event data and makes it available for LogicMonitor to query. 

Note: You must determine the Log Analytics workspace to which backup and site recovery events will be forwarded.

Log Analytics Workspace Architecture

Log Analytics workspace architecture is customer-dependent. If you already have a Log Analytics workspace implementation, you can leverage an existing architecture. If you don’t, you can create a Log Analytics workspace to retain all events. LogicMonitor does not require a specific architecture, however:

  • There must be at least one Log Analytics workspace in your Azure account.
  • The vault must forward its backup and site recovery events to at least one Log Analytics workspace (new or existing).

For more information, see Design a Log Analytics workspace architecture.

Forward Backup Events to Log Analytics

Use an Azure policy to forward backup events. This ensures that diagnostic settings are applied consistently across all recovery service vaults, without having to configure event forwarding for each. Microsoft offers a built-in Azure policy for forwarding backup events to Log Analytics. For more information, see Configure Vault Diagnostics settings at scale.

Forward Site Recovery Events to Log Analytics

To forward site recovery events to Log Analytics:

  1. Add a Site Recovery policy to the Azure account.
  2. Assign the Site Recovery policy.

Add a Site Recovery Policy to the Azure Account

  1. Sign in to the Azure portal and navigate to the Policy dashboard.
  2. Select Definitions.
  3. Click [+ Policy Definition].
  4. Enter the following:
    • Definition location— Click the Launch Scope Selector (three dots) next to this field and select a subscription.
    • Name—  Use the value Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for AzureSiteRecovery categories.
    • Category— Select Use Existing and then select Backup from the drop-down list.
    • Policy Rule— Copy and paste the contents of AzureSiteRecoveryPolicy.json:
{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allof": [
        {
          "field": "type",
          "equals": "Microsoft.RecoveryServices/vaults"
        },
        {
          "not": {
            "field": "[concat('tags[',parameters('tagName'), ']')]",
            "equals": "[parameters('tagValue')]"
          }
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "existenceCondition": {
          "allof": [
            {
              "count": {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                "where": {
                  "allof": [
                    {
                      "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
                      "in": [
                        "AzureSiteRecoveryJobs",
                        "AzureSiteRecoveryEvents",
                        "AzureSiteRecoveryReplicatedItems",
                        "AzureSiteRecoveryReplicationStats",
                        "AzureSiteRecoveryRecoveryPoints",
                        "AzureSiteRecoveryReplicationDataUploadRate",
                        "AzureSiteRecoveryProtectedDiskDataChurn"
                      ]
                    },
                    {
                      "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
                      "equals": "True"
                    }
                  ]
                }
              },
              "Equals": 7
            },
            {
              "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
              "notEquals": ""
            },
            {
              "field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType",
              "equals": "AzureDiagnostics"
            }
          ]
        },
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
          "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "vaultName": {
                  "type": "string"
                },
                "logAnalytics": {
                  "type": "string"
                },
                "profileName": {
                  "type": "string"
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings",
                  "apiVersion": "2017-05-01-preview",
                  "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                  "dependsOn": [],
                  "properties": {
                    "workspaceId": "[parameters('logAnalytics')]",
                    "logAnalyticsDestinationType": "AzureDiagnostics",
                    "metrics": [],
                    "logs": [
                      {
                        "category": "AzureSiteRecoveryJobs",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryEvents",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryReplicatedItems",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryReplicationStats",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryRecoveryPoints",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryReplicationDataUploadRate",
                        "enabled": "true"
                      },
                      {
                        "category": "AzureSiteRecoveryProtectedDiskDataChurn",
                        "enabled": "true"
                      }
                    ]
                  }
                }
              ],
              "outputs": {
                "policy": {
                  "type": "string",
                  "value": "[concat(parameters('logAnalytics'), 'configured for AzureDiagnostics logs for ', ': ', parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
                }
              }
            },
            "parameters": {
              "logAnalytics": {
                "value": "[parameters('logAnalytics')]"
              },
              "vaultName": {
                "value": "[field('name')]"
              },
              "profileName": {
                "value": "[parameters('profileName')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {
    "profileName": {
      "type": "String",
      "metadata": {
        "displayName": "Profile name",
        "description": "The diagnostic settings profile name"
      },
      "defaultValue": "setbypolicy_logAnalyticsAzureSiteRecovery"
    },
    "logAnalytics": {
      "type": "String",
      "metadata": {
        "displayName": "Log Analytics workspace",
        "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
        "strongType": "omsWorkspace",
        "assignPermissions": true
      }
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Exclusion Tag Name",
        "description": "Name of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Value parameter."
      },
      "defaultValue": ""
    },
    "tagValue": {
      "type": "String",
      "metadata": {
        "displayName": "Exclusion Tag Value",
        "description": "Value of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Name parameter."
      },
      "defaultValue": ""
    }
  }
}

Assign the Site Recovery Policy

  1. Sign in to the Azure portal and navigate to the Backup center dashboard.
  2. Go to Policy and compliance > Azure policies for backup for a list of all built-in policies across Azure resources.
  3. Locate and select the policy named Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for AzureSiteRecovery categories. The policy definition page appears.
  4. Click Assign. The Assign policy page appears.
  5. Select the Basics tab.
  6. On the Scope field, click the Launch scope collector (three dots). The Scope panel appears. Select the subscription for the policy. Optionally, you can select a resource group so that the policy is applied only to vaults in a particular resource group.
  7. Select the Parameters tab.
  8. Disable Only show parameters that need input or review and then enter the following information:
    • Profile Name— The name that will be assigned to the diagnostics settings created by the policy.
    • Log Analytics Workspace— The workspace to which the diagnostics setting will be associated. Diagnostics data of all vaults in the scope of the policy assignment will be pushed to the specified Log Analytics Workspace.
    • Exclusion Tag Name and Exclusion Tag Value (optional)— You can choose to exclude vaults containing a certain tag name and value from the policy assignment.Example: If you do not want a diagnostics setting to be added to those vaults that have a tag isTest set to the value yes, you must enter isTest in the Exclusion Tag Name field and yes in the Exclusion Tag Value field. If any (or both) of these two fields are left empty, the policy will be applied to all relevant vaults regardless of the tags they contain.
    • Create a remediation task— Once the policy is assigned to a scope, Log Analytics diagnostic settings are automatically configured for any new vaults created in that scope (within 30 minutes). To add a diagnostics setting to existing vaults in the scope, you can trigger a remediation task at policy assignment time. To trigger a remediation task, select the Create a Remediation task.
  9. Select the Review+Create tab and click Create.
In This Article