forked from CmdaPanda/AzBluMon
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathAzBluMon.azcli
317 lines (294 loc) · 18.8 KB
/
AzBluMon.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
#!/bin/bash
# Author: Justin Kikani
# Initial Release: 5/18/2022
# Last Modified: 3/15/2023
# Version: 1.2.8
# Release Notes: This script has been modified to be re-runnable, in that it will
# detect if this script has been run before. If so, it will simply modify settings
# rather than create resources.
# Purpose: To simplify the creation of the event hubs integration for blumira within Azure,
# this is meant to turn on the diagnostic settings for Azure resources located within the
# same resource group as the created namespace name, due to the way licensing works within Azure
# this script does not encompass metrics enablement or the ability to turn on Azure Active Directory
# or Defender integrations, this is in the same vein as poshim for automated windows logging
# Standardized Blumira Resource Group name
bluRG="blu-eventhub-rg"
# Statically set to reduce friction but this value can be changed to suit your preferences or needs
myEventHubName="blueventhub"
echo 'Please Note: This configuration is currently valid for US only deployments.'
# Have user login to their tenant, uncomment below line if running from local Azure CLI instance
#az login
# Get Subscription ID from user
echo 'What is your Subscription ID? This can be found at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade copy and paste the link in a new browser tab.'
read mySubscriptionID
# Set the Subscription that you'll be working with by ID, more reliable than name
az account set \
--name $mySubscriptionID
#Register Microsoft.Insights resource provider, won't hurt to re-run if it already is registered
az provider register --namespace 'microsoft.insights'
# Get resource groups
myResourceGroups=($(az group list --query "[].name" -o tsv))
# Now that the check has been stored, test with if else
if [ $(az group exists -n $bluRG) = true ]; then
echo "This appears to be a secondary run, validating and enabling logging configurations without changing resource groups or resources."
# Get the location ID from the namespace(s) and then get the namespaces
locations=$(az resource list -g $bluRG --query "[].location" -o tsv | awk -F '\t' '{print $1}' | sort -u)
myLocations=($(echo $locations | tr " " "\n"))
nameSpaceList=$(az eventhubs namespace list -g $bluRG --query "[].name" -o tsv | awk -F '\t' '{print $1}' | sort -u)
myNameSpaces=($(echo $nameSpaceList | tr " " "\n"))
# Loop through the locations to apply settings
for myLocation in "${myLocations[@]}"; do
for nameSpace in "${myNameSpaces[@]}"; do
myNameSpaceLoc=${nameSpace##*-}
if [[ $myLocation == $myNameSpaceLoc ]]; then
echo "Updating resource at $myLocation"
myRuleID=$(az eventhubs namespace authorization-rule show --name "RootManageSharedAccessKey" -g $bluRG --namespace-name $nameSpace --query "id" -o tsv)
# Loop through each Resource Group in the subscription
for resourceGroup in "${myResourceGroups[@]}"; do
# Set diagnostic settings for all resources in the resource group to the previously created event hub
# Start with creating array of resource IDs to iterate through
resourceIDs=($(az resource list -g $resourceGroup --location $myLocation --query "[].id" -o tsv))
for resourceID in "${resourceIDs[@]}"; do
# Check if any resources are storage accounts
resourceType=$(az resource show -g $resourceGroup --id $resourceID --query "type" -o tsv)
# If there are any storage accounts set diagnostic settings for each default resource type underneath blob, files, table, queue
case $resourceType in
Microsoft.Storage/storageAccounts)
storageResourceIDs=( $resourceID"/blobServices/default" $resourceID"/tableServices/default" $resourceID"/queueServices/default" $resourceID"/fileServices/default" )
# For each storage service default resource ID build the log json template on the fly and apply it to the diagnostic setting
for storageResourceID in "${storageResourceIDs[@]}"; do
logString="["
# For each resource ID we need to create another array to iterate through to create the log settings for each log category
storageLogCategories=($(az monitor diagnostic-settings categories list --resource $storageResourceID --query "value[?categoryType == 'Logs'].[name]" -o tsv))
# Loop through each category to build json
for storageLogCategory in "${storageLogCategories[@]}"; do
logString+='{"category":'
logString+='"'"$storageLogCategory"'",'
logString+='"enabled": true, "retentionPolicy": {"enabled": false, "days": 0 }},'
done
# Remove last ',' from the json and replace with closing ']'
modifiedLogString=$logstring
modifiedLogString=${logString::-1}
modifiedLogString+="]"
echo $modifiedLogString > temp.json
# Create the diagnostic setting for each resource ID with compiled json
az monitor diagnostic-settings create \
--name BlumiraDiagSetting \
--resource $storageResourceID \
--event-hub "$myEventHubName-$myLocation" \
--event-hub-rule $myRuleID \
--logs @./temp.json \
--output none
done
;;
microsoft.devtestlab/schedules)
;;
Microsoft.ContainerInstance/containerGroups)
;;
Microsoft.Compute/snapshots)
;;
Microsoft.Compute/virtualMachines*)
;;
Microsoft.Compute/disks)
;;
Microsoft.Network/networkInterfaces)
;;
Microsoft.Network/networkWatchers)
;;
Microsoft.Compute/images)
;;
"")
;;
*)
logString="["
# For each resource ID we need to create another array to iterate through to create the log settings on the fly for each log category
logCategories=($(az monitor diagnostic-settings categories list --resource $resourceID --query "value[?categoryType == 'Logs'].[name]" -o tsv))
# Loop through each category to build json
for logCategory in "${logCategories[@]}"; do
logString+='{"category":'
logString+='"'"$logCategory"'",'
logString+='"enabled": true, "retentionPolicy": {"enabled": false, "days": 0 }},'
done
modifiedLogString=$logstring
modifiedLogString=${logString::-1}
modifiedLogString+="]"
# Skip this resource nothing exists
if [[ $modifiedLogString != "]" ]]; then
echo $modifiedLogString > temp.json
# Create the diagnostic setting for each resource ID with compiled json
az monitor diagnostic-settings create \
--name BlumiraDiagSetting \
--resource $resourceID \
--event-hub "$myEventHubName-$myLocation" \
--event-hub-rule $myRuleID \
--logs @./temp.json \
--output none
fi
;;
esac
done
done
fi
done
done
echo "Operations have completed. Your resources' diagnostic settings have been updated."
else
# Get the location id from the subscription
locations=$(az resource list --query "[].location" -o tsv | awk -F '\t' '{print $1}' | sort -u)
myLocations=($(echo $locations | tr " " "\n"))
# Get the Namespace name from the user
echo "What would you like to name your Event Hub Namespace? Please note this must be unique."
read myEventHubNamespace
# Let the user know what's going on at this stage
echo "Subscription $mySubscriptionID set. Creating Blumira resource group."
# Create the new standardized resource group, place in same location as given above
az group create --location ${myLocations[0]} --name $bluRG
echo "Creating Event Hub Namespace for each Region"
# Create the Azure Event Hub Namespace
for myLocation in "${myLocations[@]}"; do
# Create the Azure Event Hub Namespace
az eventhubs namespace create \
--name "$myEventHubNamespace-$myLocation" \
--resource-group $bluRG \
--location $myLocation \
--sku Basic \
--capacity 1 \
--enable-auto-inflate false
# Give time for Azure to enumerate event hub namespace
echo "Waiting 60s for Namespace creation..."
sleep 60s
echo "Creating Event Hub and Authorization Rule under the Namespace..."
# Create the Azure Event Hub
az eventhubs eventhub create \
--name "$myEventHubName-$myLocation" \
--namespace-name "$myEventHubNamespace-$myLocation" \
--resource-group $bluRG \
--partition-count 2 \
--message-retention 1 \
--output none
echo "Waiting 60s for Event Hub Creation"
sleep 60s
# Set SAS Auth and Rules for Event Hub Listener, this is what the sensor uses
az eventhubs eventhub authorization-rule create \
--name "LogsToBlumira" \
--eventhub-name "$myEventHubName-$myLocation" \
--namespace-name "$myEventHubNamespace-$myLocation" \
--resource-group $bluRG \
--rights Listen \
--output none
# Get and store the authorization ID for the rootManagedShareKey rule for continued setup of resources
myRuleID=$(az eventhubs namespace authorization-rule show --name "RootManageSharedAccessKey" --resource-group $bluRG --namespace-name "$myEventHubNamespace-$myLocation" --query "id" -o tsv)
echo 'Building diagnostic settings templates and assigning them in monitor errors are to be expected for unsupported resources in current region.'
# Loop through each Resource Group in the subscription
for resourceGroup in "${myResourceGroups[@]}"; do
# Set diagnostic settings for all resources in the resource group to the previously created event hub
# Start with creating array of resource IDs to iterate through
resourceIDs=($(az resource list -g $resourceGroup --location $myLocation --query "[].id" -o tsv))
for resourceID in "${resourceIDs[@]}"; do
# Check if any resources are storage accounts
resourceType=$(az resource show -g $resourceGroup --id $resourceID --query "type" -o tsv)
# If there are any storage accounts set diagnostic settings for each default resource type underneath blob, files, table, queue
case $resourceType in
Microsoft.Storage/storageAccounts)
storageResourceIDs=( $resourceID"/blobServices/default" $resourceID"/tableServices/default" $resourceID"/queueServices/default" $resourceID"/fileServices/default" )
# For each storage service default resource ID build the log json template on the fly and apply it to the diagnostic setting
for storageResourceID in "${storageResourceIDs[@]}"; do
logString="["
# For each resource ID we need to create another array to iterate through to create the log settings for each log category
storageLogCategories=($(az monitor diagnostic-settings categories list --resource $storageResourceID --query "value[?categoryType == 'Logs'].[name]" -o tsv))
# Loop through each category to build json
for storageLogCategory in "${storageLogCategories[@]}"; do
logString+='{"category":'
logString+='"'"$storageLogCategory"'",'
logString+='"enabled": true, "retentionPolicy": {"enabled": false, "days": 0 }},'
done
# Remove last ',' from the json and replace with closing ']'
modifiedLogString=$logstring
modifiedLogString=${logString::-1}
modifiedLogString+="]"
echo $modifiedLogString > temp.json
# Create the diagnostic setting for each resource ID with compiled json
az monitor diagnostic-settings create \
--name BlumiraDiagSetting \
--resource $storageResourceID \
--event-hub "$myEventHubName-$myLocation" \
--event-hub-rule $myRuleID \
--logs @./temp.json \
--output none
done
;;
microsoft.devtestlab/schedules)
;;
Microsoft.ContainerInstance/containerGroups)
;;
Microsoft.Compute/snapshots)
;;
Microsoft.Compute/virtualMachines*)
;;
Microsoft.Compute/disks)
;;
Microsoft.Network/networkInterfaces)
;;
Microsoft.Network/networkWatchers)
;;
Microsoft.Compute/images)
;;
"")
;;
*)
logString="["
# For each resource ID we need to create another array to iterate through to create the log settings on the fly for each log category
logCategories=($(az monitor diagnostic-settings categories list --resource $resourceID --query "value[?categoryType == 'Logs'].[name]" -o tsv))
# Loop through each category to build json
for logCategory in "${logCategories[@]}"; do
logString+='{"category":'
logString+='"'"$logCategory"'",'
logString+='"enabled": true, "retentionPolicy": {"enabled": false, "days": 0 }},'
done
modifiedLogString=$logstring
modifiedLogString=${logString::-1}
modifiedLogString+="]"
# Skip this resource nothing exists
if [[ $modifiedLogString != "]" ]]; then
echo $modifiedLogString > temp.json
# Create the diagnostic setting for each resource ID with compiled json
az monitor diagnostic-settings create \
--name BlumiraDiagSetting \
--resource $resourceID \
--event-hub "$myEventHubName-$myLocation" \
--event-hub-rule $myRuleID \
--logs @./temp.json \
--output none
fi
;;
esac
done
done
done
#Re-get the authrule for starting namespace
myRuleID=$(az eventhubs namespace authorization-rule show --name "RootManageSharedAccessKey" --resource-group $bluRG --namespace-name "$myEventHubNamespace-${myLocations[0]}" --query "id" -o tsv)
# Create diagnostic settings for Azure Subscription that was specified by the user
az monitor diagnostic-settings subscription create \
--name BlumiraDiagSetting \
--location ${myLocations[0]} \
--event-hub-name "$myEventHubName-${myLocations[0]}" \
--event-hub-auth-rule $myRuleID \
--logs '[{"category": "Security","enabled": true},{"category": "Administrative","enabled": true},{"category": "ServiceHealth","enabled": true},{"category": "Alert","enabled": true},{"category": "Recommendation","enabled": true},{"category": "Policy","enabled": true},{"category": "Autoscale","enabled": true},{"category": "ResourceHealth","enabled": true}]' \
--output none
# Output primary connection string for end-user to copy and use within Blumira
echo '******************************************************************'
echo '******************************************************************'
echo 'You will need the Primary Connection String and the Event Hub name to copy and paste in the sensor module within Blumira.'
for myLocation in "${myLocations[@]}"; do
echo 'Primary Connection String'
az eventhubs eventhub authorization-rule keys list \
--resource-group $bluRG \
--eventhub-name "$myEventHubName-$myLocation" \
--namespace-name "$myEventHubNamespace-$myLocation" \
--name "LogsToBlumira" --query "primaryConnectionString" -o tsv
# Output event hub name for end-user to copy and use within Blumira
echo 'Event Hub Name'
echo "$myEventHubName-$myLocation"
echo '******************************************************************'
done
fi