steampipe plugin install azure

Table: azure_monitor_log_profile - Query Azure Monitor Log Profiles using SQL

Azure Monitor Log Profile is a configuration in Azure Monitor that specifies how activity logs are collected and retained. These profiles are essential for managing and controlling the export of Azure activity logs, which include logs related to resource usage, service health, and operations within a Azure subscription. By setting up a Log Profile, administrators can define where these logs are stored, how long they are retained, and can ensure that they have access to historical data for compliance, auditing, and troubleshooting purposes.

Table Usage Guide

The azure_monitor_log_profile table provides insights into logs related to resource usage, service health, and operations within a Azure subscription. By setting up a Log Profile, administrators can define where these logs are stored, how long they are retained, and can ensure that they have access to historical data for compliance, auditing, and troubleshooting purposes.

Examples

Basic info

Explore the quite useful for managing and understanding Azure Monitor Log Profiles. It selects key attributes of log profiles, which are crucial for monitoring and auditing purposes in Azure environments.

select
id,
name,
storage_account_id,
service_bus_rule_id,
locations,
retention_policy
from
azure_monitor_log_profile;
select
id,
name,
storage_account_id,
service_bus_rule_id,
locations,
retention_policy
from
azure_monitor_log_profile;

List events with event-level critical

This example helps identify critical events in your Azure activity log. By doing so, it allows you to promptly respond to potential issues or security threats.

select
event_name,
id,
operation_name,
event_timestamp,
level,
caller
from
azure_monitor_log_profile
where
level = 'EventLevelCritical';
select
event_name,
id,
operation_name,
event_timestamp,
level,
caller
from
azure_monitor_log_profile
where
level = 'EventLevelCritical';

Get retention policy details of log profiles

The query helps in efficiently tracking and managing log retention settings, ensuring that data retention complies with organizational policies and regulatory requirements.

select
id,
name,
retention_policy -> 'Enabled' as retention_policy_enabled,
retention_policy -> 'Days' as retention_policy_days
from
azure_monitor_log_profile;
select
id,
name,
json_extract(retention_policy, '$.Enabled') as retention_policy_enabled,
json_extract(retention_policy, '$.Days') as retention_policy_days
from
azure_monitor_log_profile;

Get the location for which Activity Log events should be stored

Retrieve the specific locations associated with each log profile to understand where log data is being accumulated.

select
p.name,
p.id,
p.storage_account_id,
l as location
from
azure_monitor_log_profile as p,
jsonb_array_elements_text(locations) as l;
select
p.name,
p.id,
p.storage_account_id,
json_each.value as location
from
azure_monitor_log_profile as p,
json_each(p.locations);

Get storage account details associated with the log profile

Highly beneficial for organizations using Azure services, as it helps in assessing the configuration and security aspects of their storage solutions linked with log profiles. By retrieving data such as the storage account's name, type, access tier, and various security and feature enablements like HTTPS traffic only, blob change feed, container soft delete, and encryption key sources, administrators

select
l.name,
l.type,
s.access_tier,
s.kind,
s.blob_change_feed_enabled,
s.blob_container_soft_delete_enabled,
s.enable_https_traffic_only,
s.encryption_key_source
from
azure_monitor_log_profile as l,
azure_storage_account as s
where
l.storage_account_id = s.id
select
l.name,
l.type,
s.access_tier,
s.kind,
s.blob_change_feed_enabled,
s.blob_container_soft_delete_enabled,
s.enable_https_traffic_only,
s.encryption_key_source
from
azure_monitor_log_profile as l
join azure_storage_account as s on l.storage_account_id = s.id;

Schema for azure_monitor_log_profile

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akastextArray of globally unique identifier strings (also known as) for the resource.
categoriesjsonbThe categories of the logs. These categories are created as is convenient to the user.
cloud_environmenttextThe Azure Cloud Environment.
idtextAzure resource Id.
locationtextThe resource location.
locationsjsonbList of regions for which Activity Log events should be stored or streamed. It is a comma separated list of valid ARM locations including the 'global' location.
nametext=Azure resource name.
retention_policyjsonbThe retention policy for the events in the log.
service_bus_rule_idtextThe service bus rule ID of the service bus namespace in which you would like to have Event Hubs created for streaming the Activity Log.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
storage_account_idtextThe resource id of the storage account to which you would like to send the Activity Log.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextAzure resource type.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_monitor_log_profile