Enable resource-specific diagnostic logging for resources that support it

[Greg-Court]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

Currently the policy "Enable category group resource logging for supported resources to Log Analytics" enables the allLogs diagnostic settings category for some resources to be sent to the LAW AzureDiagnostics table. This is the legacy option.

The newer, more user-friendly method is to to send Azure resource logs to multiple resource-specific tables for each category of the resource.

Describe the solution you'd like

For resources that support it, use Azure Policy to automatically configure the diagnostics settings to send logs to the newer Microsoft-recommended resource-specific tables.

Additional context

Using this new mode, multiple individual tables are provisioned in the selected workspace for each category selected in the diagnostic setting.

Microsoft recommends this method going forward because:

• Simplified means to work with the data in log queries.
• Provides improved discoverability of schemas and their structure.
• Improves performance across ingestion latency and query times.
• Provides the ability to grant Azure role-based access control rights on a specific table.
• All Azure services will eventually migrate to the resource-specific mode!

[matt-FFFFFF]

Hi this is a policy issue and so I'm routing it upstream