Azure SQL - Logs and metrics
Right click - deploy.
Copy a file to the server.
Lift and shift your on-premises server to the cloud.
What do these practices usually have in common?
Yes, the lack of production readiness in the cloud. Lack of service logging and metrics collection.
Something as important as this is usually either overlooked, not done at all, or overcomplicated, by using 3rd party tools that are “cloud-ready”, all you need to do is just install this agent here on all your machines so it can forward data to this other server which then forwards all the data to another server. Wow!
Azure makes log and metrics collection super easy on most services, with an almost turnkey solution to forward logs and metrics to an Azure Storage Account, Event Hub or Log Analytics.
All three targets should be an ideal source for any cloud based SIEM tool to ingest data from, if you decided to use a 3rd party.
Azure SQL diagnostics
Continuing on from my last technical article on deploying and configuring Azure SQL this article will focus on configuring the diagnostic settings on an Azure SQL database.
After successful deployment of an Azure SQL database you will find the
diagnostics tab to show the following content.
With a bit of digging I found out that the diagnostics setting is a nested resource of type
providers/diagnosticSettings on the
Microsoft.Sql/servers/databases resource, and not just there, but on every other resource that supports diagnostic logs and metrics.
So, in the end, to configure my Azure SQL databases to forward all of the above logs and metrics to a storage account I had to add the following snippet to each database resource.
Now ingesting that data into a SIEM becomes super easy.