I have a requirement to monitor all automatic Windows services from Azure VMs using Azure Monitor. The best solution is to enable 'Change Tracking' from the VM's blade, which allows us to query the Windows service change data from the Log Analytics workspace and create alert rules accordingly.
However, I have around 500+ VMs, and enabling 'Change Tracking' for this many VMs manually is very tedious. I tried searching for an automation solution (either with PowerShell or Terraform) on the internet, but unfortunately, I couldn't find any. Is there a way to automate this process to enable Change Tracking for this many VMs?
I have a requirement to monitor all automatic Windows services from Azure VMs using Azure Monitor. The best solution is to enable 'Change Tracking' from the VM's blade, which allows us to query the Windows service change data from the Log Analytics workspace and create alert rules accordingly.
However, I have around 500+ VMs, and enabling 'Change Tracking' for this many VMs manually is very tedious. I tried searching for an automation solution (either with PowerShell or Terraform) on the internet, but unfortunately, I couldn't find any. Is there a way to automate this process to enable Change Tracking for this many VMs?
Share Improve this question asked Feb 4 at 21:01 RonRon 32 bronze badges2 Answers
Reset to default 0You can use PowerShell to automate this. First of all check whether you have installed 'Az.Automation' module or not.
Run below command to install it if not installed.
Install-Module -Name Az.Automation -Force -AllowClobber
Ensure you have proper permission for Azure subscription level Owner or contributor.
# Login to Azure
Connect-AzAccount
# Define variables
$subscriptionId = "<Your Subscription ID>"
$resourceGroup = "<Your Automation Account's Resource Group>"
$automationAccount = "<Your Automation Account Name>"
# Set the context to the subscription
Set-AzContext -SubscriptionId $subscriptionId
# Get all VMs in the subscription
$allVMs = Get-AzVM
# Loop through each VM and enable Change Tracking
foreach ($vm in $allVMs) {
$vmId = $vm.Id
Write-Host "Enabling Change Tracking for VM: $($vm.Name)"
# Enable Change Tracking
Enable-AzAutomationChangeTracking -ResourceGroupName $resourceGroup `
-AutomationAccountName $automationAccount `
-MachineId $vmId
}
Write-Host "Change Tracking enabled for all VMs."
If you have any challenges in filling out the PS script, comment below.
Updated [Using Custom Template]
Try using the custom template for DCR (data collection rule)
{
"$schema": "http://schema.management.azure/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataCollectionRuleName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the data collection rule to create."
},
"defaultValue": "Microsoft-CT-DCR"
},
"workspaceResourceId": {
"type": "string",
"metadata": {
"description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data."
}
}
},
"variables": {
"subscriptionId": "[substring(parameters('workspaceResourceId'), 15, sub(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 15))]",
"resourceGroupName": "[substring(parameters('workspaceResourceId'), add(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 16), sub(sub(indexOf(parameters('workspaceResourceId'), '/providers/'), indexOf(parameters('workspaceResourceId'), '/resourceGroups/')),16))]",
"workspaceName": "[substring(parameters('workspaceResourceId'), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1), sub(length(parameters('workspaceResourceId')), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1)))]"
},
"resources": [
{
"type": "microsoft.resources/deployments",
"name": "get-workspace-region",
"apiVersion": "2020-08-01",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [],
"outputs": {
"workspaceLocation": {
"type": "string",
"value": "[reference(parameters('workspaceResourceId'), '2020-08-01', 'Full').location]"
}
}
}
}
},
{
"type": "microsoft.resources/deployments",
"name": "CtDcr-Deployment",
"apiVersion": "2020-08-01",
"properties": {
"mode": "Incremental",
"parameters": {
"workspaceRegion": {
"value": "[reference('get-workspace-region').outputs.workspaceLocation.value]"
}
},
"template": {
"$schema": "https://schema.management.azure/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceRegion": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-04-01",
"name": "[parameters('dataCollectionRuleName')]",
"location": "[[parameters('workspaceRegion')]",
"properties": {
"description": "Data collection rule for CT.",
"dataSources": {
"extensions": [
{
"streams": [
"Microsoft-ConfigurationChange",
"Microsoft-ConfigurationChangeV2",
"Microsoft-ConfigurationData"
],
"extensionName": "ChangeTracking-Windows",
"extensionSettings": {
"enableFiles": true,
"enableSoftware": true,
"enableRegistry": true,
"enableServices": true,
"enableInventory": true,
"registrySettings": {
"registryCollectionFrequency": 3000,
"registryInfo": [
{
"name": "Registry_1",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup",
"valueName": ""
},
{
"name": "Registry_2",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown",
"valueName": ""
},
{
"name": "Registry_3",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"valueName": ""
},
{
"name": "Registry_4",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components",
"valueName": ""
},
{
"name": "Registry_5",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers",
"valueName": ""
},
{
"name": "Registry_6",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers",
"valueName": ""
},
{
"name": "Registry_7",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers",
"valueName": ""
},
{
"name": "Registry_8",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
"valueName": ""
},
{
"name": "Registry_9",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
"valueName": ""
},
{
"name": "Registry_10",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
"valueName": ""
},
{
"name": "Registry_11",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
"valueName": ""
},
{
"name": "Registry_12",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions",
"valueName": ""
},
{
"name": "Registry_13",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions",
"valueName": ""
},
{
"name": "Registry_14",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"valueName": ""
},
{
"name": "Registry_15",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"valueName": ""
},
{
"name": "Registry_16",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls",
"valueName": ""
},
{
"name": "Registry_17",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify",
"valueName": ""
}
]
},
"fileSettings": {
"fileCollectionFrequency": 2700
},
"softwareSettings": {
"softwareCollectionFrequency": 1800
},
"inventorySettings": {
"inventoryCollectionFrequency": 36000
},
"servicesSettings": {
"serviceCollectionFrequency": 1800
}
},
"name": "CTDataSource-Windows"
},
{
"streams": [
"Microsoft-ConfigurationChange",
"Microsoft-ConfigurationChangeV2",
"Microsoft-ConfigurationData"
],
"extensionName": "ChangeTracking-Linux",
"extensionSettings": {
"enableFiles": true,
"enableSoftware": true,
"enableRegistry": false,
"enableServices": true,
"enableInventory": true,
"fileSettings": {
"fileCollectionFrequency": 900,
"fileInfo": [
{
"name": "ChangeTrackingLinuxPath_default",
"enabled": true,
"destinationPath": "/etc/.*.conf",
"useSudo": true,
"recurse": true,
"maxContentsReturnable": 5000000,
"pathType": "File",
"type": "File",
"links": "Follow",
"maxOutputSize": 500000,
"groupTag": "Recommended"
}
]
},
"softwareSettings": {
"softwareCollectionFrequency": 300
},
"inventorySettings": {
"inventoryCollectionFrequency": 36000
},
"servicesSettings": {
"serviceCollectionFrequency": 300
}
},
"name": "CTDataSource-Linux"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "Microsoft-CT-Dest"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-ConfigurationChange",
"Microsoft-ConfigurationChangeV2",
"Microsoft-ConfigurationData"
],
"destinations": [
"Microsoft-CT-Dest"
]
}
]
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
"location": "[[parameters('workspaceRegion')]",
"apiVersion": "2015-11-01-preview",
"id": "[Concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.OperationsManagement/solutions/ChangeTracking', '(', variables('workspaceName'), ')')]",
"properties": {
"workspaceResourceId": "[parameters('workspaceResourceId')]"
},
"plan": {
"name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
"product": "OMSGallery/ChangeTracking",
"promotionCode": "",
"publisher": "Microsoft"
}
}
]
}
}
}
]
}
After creating the Data Collection Rule (DCR) using the Azure Monitoring Agent's change tracking schema, ensure that you don't add any Data Sources to this rule. This can cause Change Tracking and Inventory to fail. You must only add new Resources in this section.
For more information Create data collection rule DCR
You can use an azure policy or to Azure VMs browse experience (select your vms upto 100 in one go), and click on Services --> Change tracking or Inventory. if all vms are in the same region, then it is easy, else you can keep enabling region by region from VM browse experience.