Share via


az monitor data-collection rule

Note

This reference is part of the monitor-control-service extension for the Azure CLI (version 2.61.0 or higher). The extension will automatically install the first time you run an az monitor data-collection rule command. Learn more about extensions.

Manage data collection rule for monitor control service.

Commands

Name Description Type Status
az monitor data-collection rule association

Manage data collection rule association for monitor control service.

Extension GA
az monitor data-collection rule association create

Create an association.

Extension GA
az monitor data-collection rule association delete

Delete an association.

Extension GA
az monitor data-collection rule association list

Lists associations for the specified data collection rule. And Lists associations for the specified data collection endpoint. And Lists associations for the specified resource.

Extension GA
az monitor data-collection rule association list-by-resource

List associations for the specified resource.

Extension GA
az monitor data-collection rule association show

Get the specified association.

Extension GA
az monitor data-collection rule association update

Update an association.

Extension GA
az monitor data-collection rule create

Create a data collection rule.

Extension GA
az monitor data-collection rule data-flow

Manage data flows.

Extension GA
az monitor data-collection rule data-flow add

Add a data flow.

Extension GA
az monitor data-collection rule data-flow list

List data flows.

Extension GA
az monitor data-collection rule delete

Delete a data collection rule.

Extension GA
az monitor data-collection rule list

List all data collection rules in the specified resource group. And Lists all data collection rules in the specified subscription.

Extension GA
az monitor data-collection rule log-analytics

Manage Log Analytics destinations.

Extension GA
az monitor data-collection rule log-analytics add

Add Log Analytics destinations of a data collection rule.

Extension GA
az monitor data-collection rule log-analytics delete

Delete a Log Analytics destinations of a data collection rule.

Extension GA
az monitor data-collection rule log-analytics list

List Log Analytics destinations of a data collection rule.

Extension GA
az monitor data-collection rule log-analytics show

Show a Log Analytics destination of a data collection rule.

Extension GA
az monitor data-collection rule log-analytics update

Update a Log Analytics destination of a data collection rule.

Extension GA
az monitor data-collection rule performance-counter

Manage Log performance counter data source.

Extension GA
az monitor data-collection rule performance-counter add

Add a Log performance counter data source.

Extension GA
az monitor data-collection rule performance-counter delete

Delete a Log performance counter data source.

Extension GA
az monitor data-collection rule performance-counter list

List Log performance counter data sources.

Extension GA
az monitor data-collection rule performance-counter show

Show a Log performance counter data source.

Extension GA
az monitor data-collection rule performance-counter update

Update a Log performance counter data source.

Extension GA
az monitor data-collection rule show

Return the specified data collection rule.

Extension GA
az monitor data-collection rule syslog

Manage Syslog data source.

Extension GA
az monitor data-collection rule syslog add

Add a Syslog data source.

Extension GA
az monitor data-collection rule syslog delete

Delete a Syslog data source.

Extension GA
az monitor data-collection rule syslog list

List Syslog data sources.

Extension GA
az monitor data-collection rule syslog show

Show a Syslog data source.

Extension GA
az monitor data-collection rule syslog update

Update a Syslog data source.

Extension GA
az monitor data-collection rule update

Update a data collection rule.

Extension GA
az monitor data-collection rule windows-event-log

Manage Windows Event Log data source.

Extension GA
az monitor data-collection rule windows-event-log add

Add a Windows Event Log data source.

Extension GA
az monitor data-collection rule windows-event-log delete

Delete a Windows Event Log data source.

Extension GA
az monitor data-collection rule windows-event-log list

List Windows Event Log data sources.

Extension GA
az monitor data-collection rule windows-event-log show

Show a Windows Event Log data source.

Extension GA
az monitor data-collection rule windows-event-log update

Update a Windows Event Log data source.

Extension GA

az monitor data-collection rule create

Create a data collection rule.

az monitor data-collection rule create --data-collection-rule-name
                                       --resource-group
                                       [--agent-settings]
                                       [--data-collection-endpoint-id]
                                       [--data-flows]
                                       [--data-sources]
                                       [--description]
                                       [--destinations]
                                       [--identity]
                                       [--kind]
                                       [--location]
                                       [--references]
                                       [--rule-file]
                                       [--stream-declarations]
                                       [--tags]

Examples

Create data collection rule

az monitor data-collection rule create --resource-group "myResourceGroup" --location "eastus" --name "myCollectionRule" --rule-file "C:\samples\dcrEx1.json"

Required Parameters

--data-collection-rule-name --name --rule-name -n

The name of the data collection rule. The name is case insensitive.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--agent-settings

Agent settings used to modify agent behavior on a given host Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--data-collection-endpoint-id --endpoint-id

The resource ID of the data collection endpoint that is to be associated.

--data-flows

The specification of data flows. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--data-sources

The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--description

Description of the association.

--destinations

The specification of destinations. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--identity

Managed service identity of the resource. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--kind

The kind of the resource. Allowed values: Linux, Windows.

--location -l

The geo-location where the resource lives.

--references

Defines all the references that may be used in other sections of the DCR Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--rule-file

The json file for rule parameters. If provided, corresponding parameter will be overwrited by value from rule file Usage: --rule-file sample.json rule json file should be rule parameters organized as json format, like below: { "properties": { "destinations": { "azureMonitorMetrics": { "name": "azureMonitorMetrics-default" } }, "dataFlows": [ { "streams": [ "Microsoft-InsightsMetrics" ], "destinations": [ "azureMonitorMetrics-default" ] } ] } }.

--stream-declarations

Declaration of custom streams used in this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--tags

Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule delete

Delete a data collection rule.

az monitor data-collection rule delete [--data-collection-rule-name]
                                       [--delete-associations {0, 1, f, false, n, no, t, true, y, yes}]
                                       [--ids]
                                       [--resource-group]
                                       [--subscription]
                                       [--yes]

Examples

Delete data collection rule

az monitor data-collection rule delete --name "myCollectionRule" --resource-group "myResourceGroup"

Optional Parameters

--data-collection-rule-name --name --rule-name -n

The name of the data collection rule. The name is case insensitive.

--delete-associations

If set to 'true' then all associations of this data collection rule will also be deleted.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule list

List all data collection rules in the specified resource group. And Lists all data collection rules in the specified subscription.

az monitor data-collection rule list [--max-items]
                                     [--next-token]
                                     [--resource-group]

Examples

List data collection rules by resource group

az monitor data-collection rule list --resource-group "myResourceGroup"

List data collection rules by subscription

az monitor data-collection rule list

Optional Parameters

--max-items

Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.

--next-token

Token to specify where to start paginating. This is the token value from a previously truncated response.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule show

Return the specified data collection rule.

az monitor data-collection rule show [--data-collection-rule-name]
                                     [--ids]
                                     [--resource-group]
                                     [--subscription]

Examples

Get data collection rule

az monitor data-collection rule show --name "myCollectionRule" --resource-group "myResourceGroup"

Optional Parameters

--data-collection-rule-name --name --rule-name -n

The name of the data collection rule. The name is case insensitive.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule update

Update a data collection rule.

az monitor data-collection rule update [--add]
                                       [--agent-settings]
                                       [--data-collection-endpoint-id]
                                       [--data-collection-rule-name]
                                       [--data-flows]
                                       [--data-flows-raw]
                                       [--data-sources]
                                       [--description]
                                       [--destinations]
                                       [--extensions]
                                       [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                       [--identity]
                                       [--ids]
                                       [--kind]
                                       [--log-analytics]
                                       [--monitor-metrics]
                                       [--performance-counters]
                                       [--references]
                                       [--remove]
                                       [--resource-group]
                                       [--set]
                                       [--stream-declarations]
                                       [--subscription]
                                       [--syslog]
                                       [--tags]
                                       [--windows-event-logs]

Examples

Update data collection rule

az monitor data-collection rule update --resource-group "myResourceGroup" --name "myCollectionRule" --data-flows destinations="centralWorkspace" streams="Microsoft-Perf" streams="Microsoft-Syslog" streams="Microsoft-WindowsEvent" --log-analytics name="centralWorkspace" resource-id="/subscriptions/703362b3-f278-4e4b-9179- c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspac es/centralTeamWorkspace" --performance-counters name="appTeamExtraCounters" counter- specifiers="\Process(_Total)\Thread Count" sampling-frequency=30 streams="Microsoft-Perf" --syslog name="cronSyslog" facility-names="cron" log-levels="Debug" log-levels="Critical" log-levels="Emergency" streams="Microsoft-Syslog" --windows-event-logs name="cloudSecurityTeamEvents" streams="Microsoft-WindowsEvent" x-path-queries="Security!"

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--agent-settings

Agent settings used to modify agent behavior on a given host Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--data-collection-endpoint-id --endpoint-id

The resource ID of the data collection endpoint that is to be associated.

--data-collection-rule-name --name --rule-name -n

The name of the data collection rule. The name is case insensitive.

--data-flows --data-flows-remain

The specification of data flows. Usage: --data-flows streams=XX1 streams=XX2 destinations=XX1 destinations=XX2 streams: Required. List of streams for this data flow. destinations: Required. List of destinations for this data flow. Multiple actions can be specified by using more than one --data-flows argument. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--data-flows-raw

The specification of data flows. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--data-sources

The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--description

Description of the association.

--destinations

The specification of destinations. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--extensions

The list of Azure VM extension data source configurations. Expected value: json-string/@json-file.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--identity

Managed service identity of the resource. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--kind

The kind of the resource. Allowed values: Linux, Windows.

--log-analytics

List of Log Analytics destinations. Usage: --log-analytics resource-id=XX name=XX resource-id: Required. The resource ID of the Log Analytics workspace. name: Required. A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. Multiple actions can be specified by using more than one --log-analytics argument. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--monitor-metrics

Azure Monitor Metrics destination. Usage: --monitor-metrics name=XX name: Required. A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--performance-counters

The list of performance counter data source configurations. Usage: --performance-counters streams=XX1 streams=XX2 sampling-frequency=XX counter-specifiers=XX1 counter-specifiers=XX2 name=XX streams: Required. List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. sampling-frequency: Required. The number of seconds between consecutive counter measurements(samples). counter-specifiers: Required. A list of specifier names of the performance counters you want to collect. Use a wildcard (*) to collect a counter for all instances. To get a list of performance counters on Windows, run the command 'typeperf'. name: Required. A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. Multiple actions can be specified by using more than one --performance-counters argument. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--references

Defines all the references that may be used in other sections of the DCR Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

--stream-declarations

Declaration of custom streams used in this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--syslog

The list of Syslog data source configurations. Usage: --syslog streams=XX1 streams=XX2 facility-names=XX1 facility-names=XX2 log-levels=XX1 log-levels=XX2 name=XX streams: Required. List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. facility-names: Required. The list of facility names. log-levels: The log levels to collect. name: Required. A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. Multiple actions can be specified by using more than one --syslog argument. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--tags

Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--windows-event-logs

The list of Windows Event Log data source configurations. Usage: --windows-event-logs streams=XX1 streams=XX2 x-path-queries=XX1 x-path-queries=XX2 name=XX streams: Required. List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. x-path-queries: Required. A list of Windows Event Log queries in XPATH format. name: Required. A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. Multiple actions can be specified by using more than one --windows-event-logs argument. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.