Streaming Azure DevOps auditlogs to azure monitor

Introduction

As a platform team, one of the platforms we manage is Azure DevOps. The users and teams using the platform keep growing, and with this growth, we need to implement more tools to maintain control and security without requiring additional time.

One of the tasks is monitoring the audit logs. Unfortunately, the user interface within Azure DevOps is not user-friendly. The only filter available is a time range, but when you want to use the logs, you need to filter by team project, organization, or even the user. Another important tool that is missing are alerts.

Improving monitoring

To help us improve the monitoring of these logs, we set up a stream to a log analytics workspace in Azure. However, even though we used the microsoft learn page "Create audit streaming", this did not work out of the box, and we received the error message "Forbidden".

This meant that the log analytics resource returned an HTTP 403, even though we set it up as publicly available. After some research, we found out that the feature "disableLocalAuth" was set to true, which block connections with agent key's.

After setting this to false, configuring the stream worked! An example of Bicep code to deploy the log analytics workspace is:

module logWorkspaceAdo 'br/public:avm/res/operational-insights/workspace:0.11.0' = {
  params: {
    name: 'log-${resourceName}-001'
    location: location
    publicNetworkAccessForIngestion: 'Enabled'
    publicNetworkAccessForQuery: 'Enabled'
    features: {disableLocalAuth: false}
    tags: tags
  }
}

After this, we can easily implement workbooks, alerts, or create a report in Power BI.

I hope this helps you set up the stream if you had the same problem as me.

Improving security

Even though this work, I still have some questions around security. The issues that I have are:

• Public network access
• Using a key to connect

With all other connections, we go through our own private network and where possible we try to do the authentication with federated credentials end managed identities. And if we really need the allow public network, we use serviceTags for the microsoft service, but I did not see this possibility in the Log Analytics Workspace.

If you know how to improve security for this setup, please let me know.