你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Data Collection Rules - Create
Creates or updates a data collection rule.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/dataCollectionRules/{dataCollectionRuleName}?api-version=2023-03-11
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
data
|
path | True |
string |
The name of the data collection rule. The name is case insensitive. |
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string |
The ID of the target subscription. |
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
Name | Required | Type | Description |
---|---|---|---|
location | True |
string |
The geo-location where the resource lives. |
identity |
Managed service identity of the resource. |
||
kind |
The kind of the resource. |
||
properties.agentSettings |
Agent settings used to modify agent behavior on a given host |
||
properties.dataCollectionEndpointId |
string |
The resource ID of the data collection endpoint that this rule can be used with. |
|
properties.dataFlows |
Data |
The specification of data flows. |
|
properties.dataSources |
The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. |
||
properties.description |
string |
Description of the data collection rule. |
|
properties.destinations |
The specification of destinations. |
||
properties.references |
Defines all the references that may be used in other sections of the DCR |
||
properties.streamDeclarations |
<string,
Stream |
Declaration of custom streams used in this rule. |
|
tags |
object |
Resource tags. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
Data collection rule was successfully updated |
|
201 Created |
Data collection rule was successfully created |
|
Other Status Codes |
Error |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Create or update an agent settings configuration
Sample request
PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11
{
"location": "eastus",
"kind": "AgentSettings",
"properties": {
"description": "An agent settings configuration",
"agentSettings": {
"logs": [
{
"name": "MaxDiskQuotaInMB",
"value": "5000"
},
{
"name": "UseTimeReceivedForForwardedEvents",
"value": "1"
}
]
}
}
}
Sample response
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"kind": "AgentSettings",
"properties": {
"description": "An agent settings configuration",
"immutableId": "dcr-76ce901eee3a400b9945b1e263a70000",
"agentSettings": {
"logs": [
{
"name": "MaxDiskQuotaInMB",
"value": "5000"
},
{
"name": "UseTimeReceivedForForwardedEvents",
"value": "1"
}
]
},
"provisioningState": "Succeeded"
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2024-03-26T05:41:40.7885407Z",
"lastModifiedBy": "user1",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-03-26T05:41:40.7885407Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"kind": "AgentSettings",
"properties": {
"description": "An agent settings configuration",
"immutableId": "dcr-76ce901eee3a400b9945b1e263a70000",
"agentSettings": {
"logs": [
{
"name": "MaxDiskQuotaInMB",
"value": "5000"
},
{
"name": "UseTimeReceivedForForwardedEvents",
"value": "1"
}
]
},
"provisioningState": "Succeeded"
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2024-03-26T05:41:40.7885407Z",
"lastModifiedBy": "user1",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-03-26T05:41:40.7885407Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
Create or update data collection rule
Sample request
PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11
{
"location": "eastus",
"properties": {
"dataSources": {
"performanceCounters": [
{
"name": "cloudTeamCoreCounters",
"streams": [
"Microsoft-Perf"
],
"samplingFrequencyInSeconds": 15,
"counterSpecifiers": [
"\\Processor(_Total)\\% Processor Time",
"\\Memory\\Committed Bytes",
"\\LogicalDisk(_Total)\\Free Megabytes",
"\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
]
},
{
"name": "appTeamExtraCounters",
"streams": [
"Microsoft-Perf"
],
"samplingFrequencyInSeconds": 30,
"counterSpecifiers": [
"\\Process(_Total)\\Thread Count"
]
}
],
"windowsEventLogs": [
{
"name": "cloudSecurityTeamEvents",
"streams": [
"Microsoft-WindowsEvent"
],
"xPathQueries": [
"Security!"
]
},
{
"name": "appTeam1AppEvents",
"streams": [
"Microsoft-WindowsEvent"
],
"xPathQueries": [
"System![System[(Level = 1 or Level = 2 or Level = 3)]]",
"Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
]
}
],
"syslog": [
{
"name": "cronSyslog",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"cron"
],
"logLevels": [
"Debug",
"Critical",
"Emergency"
]
},
{
"name": "syslogBase",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"syslog"
],
"logLevels": [
"Alert",
"Critical",
"Emergency"
]
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Perf",
"Microsoft-Syslog",
"Microsoft-WindowsEvent"
],
"destinations": [
"centralWorkspace"
]
}
]
}
}
Sample response
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"tags": {
"tag1": "A",
"tag2": "B"
},
"properties": {
"immutableId": "dcr-b74e0d383fc9415abaa584ec41adece3",
"dataSources": {
"performanceCounters": [
{
"name": "cloudTeamCoreCounters",
"streams": [
"Microsoft-Perf"
],
"samplingFrequencyInSeconds": 15,
"counterSpecifiers": [
"\\Processor(_Total)\\% Processor Time",
"\\Memory\\Committed Bytes",
"\\LogicalDisk(_Total)\\Free Megabytes",
"\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
]
},
{
"name": "appTeamExtraCounters",
"streams": [
"Microsoft-Perf"
],
"samplingFrequencyInSeconds": 30,
"counterSpecifiers": [
"\\Process(_Total)\\Thread Count"
]
}
],
"windowsEventLogs": [
{
"name": "cloudSecurityTeamEvents",
"streams": [
"Microsoft-WindowsEvent"
],
"xPathQueries": [
"Security!"
]
},
{
"name": "appTeam1AppEvents",
"streams": [
"Microsoft-WindowsEvent"
],
"xPathQueries": [
"System![System[(Level = 1 or Level = 2 or Level = 3)]]",
"Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
]
}
],
"syslog": [
{
"name": "cronSyslog",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"cron"
],
"logLevels": [
"Debug",
"Critical",
"Emergency"
]
},
{
"name": "syslogBase",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"syslog"
],
"logLevels": [
"Alert",
"Critical",
"Emergency"
]
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Perf",
"Microsoft-Syslog",
"Microsoft-WindowsEvent"
],
"destinations": [
"centralWorkspace"
]
}
]
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2021-04-01T12:34:56.1234567Z",
"lastModifiedBy": "user2",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-04-02T12:34:56.1234567Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"tags": {
"tag1": "A",
"tag2": "B"
},
"properties": {
"immutableId": "dcr-b74e0d383fc9415abaa584ec41adece3",
"dataSources": {
"performanceCounters": [
{
"name": "cloudTeamCoreCounters",
"streams": [
"Microsoft-Perf"
],
"samplingFrequencyInSeconds": 15,
"counterSpecifiers": [
"\\Processor(_Total)\\% Processor Time",
"\\Memory\\Committed Bytes",
"\\LogicalDisk(_Total)\\Free Megabytes",
"\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
]
},
{
"name": "appTeamExtraCounters",
"streams": [
"Microsoft-Perf"
],
"samplingFrequencyInSeconds": 30,
"counterSpecifiers": [
"\\Process(_Total)\\Thread Count"
]
}
],
"windowsEventLogs": [
{
"name": "cloudSecurityTeamEvents",
"streams": [
"Microsoft-WindowsEvent"
],
"xPathQueries": [
"Security!"
]
},
{
"name": "appTeam1AppEvents",
"streams": [
"Microsoft-WindowsEvent"
],
"xPathQueries": [
"System![System[(Level = 1 or Level = 2 or Level = 3)]]",
"Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
]
}
],
"syslog": [
{
"name": "cronSyslog",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"cron"
],
"logLevels": [
"Debug",
"Critical",
"Emergency"
]
},
{
"name": "syslogBase",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"syslog"
],
"logLevels": [
"Alert",
"Critical",
"Emergency"
]
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Perf",
"Microsoft-Syslog",
"Microsoft-WindowsEvent"
],
"destinations": [
"centralWorkspace"
]
}
]
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2021-04-01T12:34:56.1234567Z",
"lastModifiedBy": "user2",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-04-02T12:34:56.1234567Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
Create or update data collection rule with embedded ingestion endpoints
Sample request
PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11
{
"location": "eastus",
"kind": " Direct",
"properties": {
"description": "A Direct Ingestion Rule with builtin ingestion fqdns",
"streamDeclarations": {
"Custom-LOGS1_CL": {
"columns": [
{
"name": "Time",
"type": "datetime"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "AdditionalContext",
"type": "string"
},
{
"name": "CounterName",
"type": "string"
},
{
"name": "CounterValue",
"type": "real"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-LOGS1_CL"
],
"destinations": [
"myworkspace"
],
"transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, CounterName=tostring(jsonContext.CounterName), CounterValue=toreal(jsonContext.CounterValue)",
"outputStream": "Custom-LOGS1_CL"
}
]
}
}
Sample response
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"kind": "Direct",
"properties": {
"description": "A Direct Ingestion Rule with builtin ingestion fqdns",
"immutableId": "dcr-d2a09c11a66243009af059a655750000",
"endpoints": {
"logsIngestion": "https://mycollectionrule-8ykm-eastus2euap.logs.z1.canary.ingest.monitor.azure.com",
"metricsIngestion": "https://mycollectionrule-jcvc-eastus2euap.metrics.z1.canary.ingest.monitor.azure.com"
},
"streamDeclarations": {
"Custom-LOGS1_CL": {
"columns": [
{
"name": "Time",
"type": "datetime"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "AdditionalContext",
"type": "string"
},
{
"name": "CounterName",
"type": "string"
},
{
"name": "CounterValue",
"type": "real"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-LOGS1_CL"
],
"destinations": [
"myworkspace"
],
"transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, CounterName=tostring(jsonContext.CounterName), CounterValue=toreal(jsonContext.CounterValue)",
"outputStream": "Custom-LOGS1_CL"
}
],
"provisioningState": "Succeeded"
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2024-01-30T17:50:40.5383301Z",
"lastModifiedBy": "user1",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"kind": "Direct",
"properties": {
"description": "A Direct Ingestion Rule with builtin ingestion fqdns",
"immutableId": "dcr-d2a09c11a66243009af059a655750000",
"endpoints": {
"logsIngestion": "https://mycollectionrule-8ykm-eastus2euap.logs.z1.canary.ingest.monitor.azure.com",
"metricsIngestion": "https://mycollectionrule-jcvc-eastus2euap.metrics.z1.canary.ingest.monitor.azure.com"
},
"streamDeclarations": {
"Custom-LOGS1_CL": {
"columns": [
{
"name": "Time",
"type": "datetime"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "AdditionalContext",
"type": "string"
},
{
"name": "CounterName",
"type": "string"
},
{
"name": "CounterValue",
"type": "real"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-LOGS1_CL"
],
"destinations": [
"myworkspace"
],
"transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, CounterName=tostring(jsonContext.CounterName), CounterValue=toreal(jsonContext.CounterValue)",
"outputStream": "Custom-LOGS1_CL"
}
],
"provisioningState": "Succeeded"
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2024-01-30T17:50:40.5383301Z",
"lastModifiedBy": "user1",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
Create or update data collection rule with enrichment
Sample request
PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11
{
"location": "eastus",
"properties": {
"description": "A rule showcasing ingestion time enrichment",
"dataCollectionEndpointId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myDataCollectionEndpoint",
"references": {
"enrichmentData": {
"storageBlobs": [
{
"resourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourcegroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myenrichmentstorage",
"blobUrl": "https://myenrichmentstorage.blob.core.windows.net/enrichment",
"lookupType": "String",
"name": "mytextdatastore"
}
]
}
},
"streamDeclarations": {
"Custom-TabularDataABC": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "Message",
"type": "string"
},
{
"name": "AdditionalContext",
"type": "string"
}
]
}
},
"dataSources": {
"logFiles": [
{
"streams": [
"Custom-TabularDataABC"
],
"filePatterns": [
"C:\\JavaLogs\\*\\*.log"
],
"format": "text",
"settings": {
"text": {
"recordStartTimestampFormat": "ISO 8601"
}
},
"name": "myTabularLogDataSource"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-TabularDataABC"
],
"destinations": [
"centralWorkspace"
],
"transformKql": "source | extend LookupData = lookup_string_am('mytextdatastore', Message) | project TimeGenerated, Message, AdditionalContext = LookupData.Message",
"outputStream": "Custom-LOGS1_CL"
}
]
}
}
Sample response
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"properties": {
"description": "A rule showcasing ingestion time enrichment",
"immutableId": "dcr-ad96300ff0734d08a6a7195eb2be0000",
"dataCollectionEndpointId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myDataCollectionEndpoint",
"references": {
"enrichmentData": {
"storageBlobs": [
{
"resourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourcegroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myenrichmentstorage",
"blobUrl": "https://myenrichmentstorage.blob.core.windows.net/enrichment",
"lookupType": "String",
"name": "mytextdatastore"
}
]
}
},
"streamDeclarations": {
"Custom-TabularDataABC": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "Message",
"type": "string"
},
{
"name": "AdditionalContext",
"type": "string"
}
]
}
},
"dataSources": {
"logFiles": [
{
"streams": [
"Custom-TabularDataABC"
],
"filePatterns": [
"C:\\JavaLogs\\*\\*.log"
],
"format": "text",
"settings": {
"text": {
"recordStartTimestampFormat": "ISO 8601"
}
},
"name": "myTabularLogDataSource"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-TabularDataABC"
],
"destinations": [
"centralWorkspace"
],
"transformKql": "source | extend LookupData = lookup_string_am('mytextdatastore', Message) | project TimeGenerated, Message, AdditionalContext = LookupData.Message",
"outputStream": "Custom-LOGS1_CL"
}
],
"provisioningState": "Succeeded"
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2024-01-30T17:50:40.5383301Z",
"lastModifiedBy": "user1",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
"id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
"name": "myCollectionRule",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "eastus",
"properties": {
"description": "A rule showcasing ingestion time enrichment",
"immutableId": "dcr-ad96300ff0734d08a6a7195eb2be0000",
"dataCollectionEndpointId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myDataCollectionEndpoint",
"references": {
"enrichmentData": {
"storageBlobs": [
{
"resourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourcegroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myenrichmentstorage",
"blobUrl": "https://myenrichmentstorage.blob.core.windows.net/enrichment",
"lookupType": "String",
"name": "mytextdatastore"
}
]
}
},
"streamDeclarations": {
"Custom-TabularDataABC": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "Message",
"type": "string"
},
{
"name": "AdditionalContext",
"type": "string"
}
]
}
},
"dataSources": {
"logFiles": [
{
"streams": [
"Custom-TabularDataABC"
],
"filePatterns": [
"C:\\JavaLogs\\*\\*.log"
],
"format": "text",
"settings": {
"text": {
"recordStartTimestampFormat": "ISO 8601"
}
},
"name": "myTabularLogDataSource"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
"workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
"name": "centralWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-TabularDataABC"
],
"destinations": [
"centralWorkspace"
],
"transformKql": "source | extend LookupData = lookup_string_am('mytextdatastore', Message) | project TimeGenerated, Message, AdditionalContext = LookupData.Message",
"outputStream": "Custom-LOGS1_CL"
}
],
"provisioningState": "Succeeded"
},
"systemData": {
"createdBy": "user1",
"createdByType": "User",
"createdAt": "2024-01-30T17:50:40.5383301Z",
"lastModifiedBy": "user1",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
},
"etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
Definitions
Name | Description |
---|---|
Adx |
Azure Data Explorer (Adx) destination. |
Agent |
A setting used to control an agent behavior on a host machine |
Agent |
Agent settings used to modify agent behavior on a given host |
Azure |
Azure Monitor Metrics destination. |
Column |
Definition of custom data column. |
created |
The type of identity that created the resource. |
Data |
Definition of ARM tracked top level resource. |
Data |
Definition of which streams are sent to which destinations. |
Data |
Specifications of pull based data sources |
Data |
The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. |
Destinations |
The specification of destinations. |
Endpoints |
Defines the ingestion endpoints to send data to via this rule. |
Enrichment |
All the enrichment data sources referenced in data flows |
Error |
The resource management error additional info. |
Error |
The error detail. |
Error |
Error response |
Event |
Definition of Event Hub configuration. |
Event |
|
Event |
|
Extension |
Definition of which data will be collected from a separate VM extension that integrates with the Azure Monitor Agent. Collected from either Windows and Linux machines, depending on which extension is defined. |
Identity |
Managed service identity of the resource. |
Iis |
Enables IIS logs to be collected by this data collection rule. |
Known |
The name of the setting. Must be part of the list of supported settings |
Known |
The type of the column data. |
Known |
The resource provisioning state. |
Known |
The kind of the resource. |
Known |
List of streams for this data flow. |
Known |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
Known |
The data format of the log files |
Known |
One of the supported timestamp formats |
Known |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
Known |
List of streams that this data source will be sent to. |
Known |
The type of lookup to perform on the blob |
Known |
The list of facility names. |
Known |
The log levels to collect. |
Known |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
Known |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
Known |
Firewall logs profile filter |
Log |
Log Analytics destination. |
Log |
Definition of which custom log files will be collected by this data collection rule |
Managed |
Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). |
Metadata |
Metadata about the resource |
Microsoft |
Microsoft Fabric destination (non-Azure). |
Monitoring |
Monitoring account destination. |
Perf |
Definition of which performance counters will be collected and how they will be collected by this data collection rule. Collected from both Windows and Linux machines where the counter is present. |
Platform |
Definition of platform telemetry data source configuration |
Prometheus |
Definition of Prometheus metrics forwarding configuration. |
References |
Defines all the references that may be used in other sections of the DCR |
Settings |
The log files specific settings. |
Storage |
|
Storage |
|
Storage |
|
Stream |
Declaration of a custom stream. |
Syslog |
Definition of which syslog data will be collected and how it will be collected. Only collected from Linux machines. |
System |
Metadata pertaining to creation and last modification of the resource. |
Text |
Text settings |
User |
User assigned identity properties |
Windows |
Definition of which Windows Event Log events will be collected and how they will be collected. Only collected from Windows machines. |
Windows |
Enables Firewall logs to be collected by this data collection rule. |
AdxDestination
Azure Data Explorer (Adx) destination.
Name | Type | Description |
---|---|---|
databaseName |
string |
The name of the database to which data will be ingested. |
ingestionUri |
string |
The ingestion uri of the Adx resource. |
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
resourceId |
string |
The ARM resource id of the Adx resource. |
AgentSetting
A setting used to control an agent behavior on a host machine
Name | Type | Description |
---|---|---|
name |
The name of the setting. Must be part of the list of supported settings |
|
value |
string |
The value of the setting |
AgentSettings
Agent settings used to modify agent behavior on a given host
Name | Type | Description |
---|---|---|
logs |
All the settings that are applicable to the logs agent (AMA) |
AzureMonitorMetrics
Azure Monitor Metrics destination.
Name | Type | Description |
---|---|---|
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
ColumnDefinition
Definition of custom data column.
Name | Type | Description |
---|---|---|
name |
string |
The name of the column. |
type |
The type of the column data. |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
DataCollectionRuleResource
Definition of ARM tracked top level resource.
Name | Type | Description |
---|---|---|
etag |
string |
Resource entity tag (ETag). |
id |
string |
Fully qualified ID of the resource. |
identity |
Managed service identity of the resource. |
|
kind |
The kind of the resource. |
|
location |
string |
The geo-location where the resource lives. |
name |
string |
The name of the resource. |
properties.agentSettings |
Agent settings used to modify agent behavior on a given host |
|
properties.dataCollectionEndpointId |
string |
The resource ID of the data collection endpoint that this rule can be used with. |
properties.dataFlows |
Data |
The specification of data flows. |
properties.dataSources |
The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. |
|
properties.description |
string |
Description of the data collection rule. |
properties.destinations |
The specification of destinations. |
|
properties.endpoints |
Defines the ingestion endpoints to send data to via this rule. |
|
properties.immutableId |
string |
The immutable ID of this data collection rule. This property is READ-ONLY. |
properties.metadata |
Metadata about the resource |
|
properties.provisioningState |
The resource provisioning state. |
|
properties.references |
Defines all the references that may be used in other sections of the DCR |
|
properties.streamDeclarations |
<string,
Stream |
Declaration of custom streams used in this rule. |
systemData |
Metadata pertaining to creation and last modification of the resource. |
|
tags |
object |
Resource tags. |
type |
string |
The type of the resource. |
DataFlow
Definition of which streams are sent to which destinations.
Name | Type | Description |
---|---|---|
builtInTransform |
string |
The builtIn transform to transform stream data |
captureOverflow |
boolean |
Flag to enable overflow column in LA destinations |
destinations |
string[] |
List of destinations for this data flow. |
outputStream |
string |
The output stream of the transform. Only required if the transform changes data to a different stream. |
streams |
List of streams for this data flow. |
|
transformKql |
string |
The KQL query to transform stream data. |
DataImports
Specifications of pull based data sources
Name | Type | Description |
---|---|---|
eventHub |
Definition of Event Hub configuration. |
DataSources
The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint.
Name | Type | Description |
---|---|---|
dataImports |
Specifications of pull based data sources |
|
extensions |
The list of Azure VM extension data source configurations. |
|
iisLogs |
The list of IIS logs source configurations. |
|
logFiles |
The list of Log files source configurations. |
|
performanceCounters |
The list of performance counter data source configurations. |
|
platformTelemetry |
The list of platform telemetry configurations |
|
prometheusForwarder |
The list of Prometheus forwarder data source configurations. |
|
syslog |
The list of Syslog data source configurations. |
|
windowsEventLogs |
The list of Windows Event Log data source configurations. |
|
windowsFirewallLogs |
The list of Windows Firewall logs source configurations. |
Destinations
The specification of destinations.
Name | Type | Description |
---|---|---|
azureDataExplorer |
List of Azure Data Explorer destinations. |
|
azureMonitorMetrics |
Azure Monitor Metrics destination. |
|
eventHubs |
List of Event Hubs destinations. |
|
eventHubsDirect |
List of Event Hubs Direct destinations. |
|
logAnalytics |
List of Log Analytics destinations. |
|
microsoftFabric |
List of Microsoft Fabric destinations. |
|
monitoringAccounts |
List of monitoring account destinations. |
|
storageAccounts |
List of storage accounts destinations. |
|
storageBlobsDirect |
List of Storage Blob Direct destinations. To be used only for sending data directly to store from the agent. |
|
storageTablesDirect |
List of Storage Table Direct destinations. |
Endpoints
Defines the ingestion endpoints to send data to via this rule.
Name | Type | Description |
---|---|---|
logsIngestion |
string |
The ingestion endpoint for logs |
metricsIngestion |
string |
The ingestion endpoint for metrics |
EnrichmentData
All the enrichment data sources referenced in data flows
Name | Type | Description |
---|---|---|
storageBlobs |
All the storage blobs used as enrichment data sources |
ErrorAdditionalInfo
The resource management error additional info.
Name | Type | Description |
---|---|---|
info |
object |
The additional info. |
type |
string |
The additional info type. |
ErrorDetail
The error detail.
Name | Type | Description |
---|---|---|
additionalInfo |
The error additional info. |
|
code |
string |
The error code. |
details |
The error details. |
|
message |
string |
The error message. |
target |
string |
The error target. |
ErrorResponseCommonV2
Error response
Name | Type | Description |
---|---|---|
error |
The error object. |
EventHub
Definition of Event Hub configuration.
Name | Type | Description |
---|---|---|
consumerGroup |
string |
Event Hub consumer group name |
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
stream |
string |
The stream to collect from EventHub |
EventHubDestination
Name | Type | Description |
---|---|---|
eventHubResourceId |
string |
The resource ID of the event hub. |
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
EventHubDirectDestination
Name | Type | Description |
---|---|---|
eventHubResourceId |
string |
The resource ID of the event hub. |
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
ExtensionDataSource
Definition of which data will be collected from a separate VM extension that integrates with the Azure Monitor Agent. Collected from either Windows and Linux machines, depending on which extension is defined.
Name | Type | Description |
---|---|---|
extensionName |
string |
The name of the VM extension. |
extensionSettings |
object |
The extension settings. The format is specific for particular extension. |
inputDataSources |
string[] |
The list of data sources this extension needs data from. |
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
streams |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
Identity
Managed service identity of the resource.
Name | Type | Description |
---|---|---|
principalId |
string |
The service principal ID of the system assigned identity. This property will only be provided for a system assigned identity. |
tenantId |
string |
The tenant ID of the system assigned identity. This property will only be provided for a system assigned identity. |
type |
Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). |
|
userAssignedIdentities |
<string,
User |
User-Assigned Identities |
IisLogsDataSource
Enables IIS logs to be collected by this data collection rule.
Name | Type | Description |
---|---|---|
logDirectories |
string[] |
Absolute paths file location |
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
streams |
string[] |
IIS streams |
transformKql |
string |
The KQL query to transform the data source. |
KnownAgentSettingName
The name of the setting. Must be part of the list of supported settings
Name | Type | Description |
---|---|---|
MaxDiskQuotaInMB |
string |
|
UseTimeReceivedForForwardedEvents |
string |
KnownColumnDefinitionType
The type of the column data.
Name | Type | Description |
---|---|---|
boolean |
string |
|
datetime |
string |
|
dynamic |
string |
|
int |
string |
|
long |
string |
|
real |
string |
|
string |
string |
KnownDataCollectionRuleProvisioningState
The resource provisioning state.
Name | Type | Description |
---|---|---|
Canceled |
string |
|
Creating |
string |
|
Deleting |
string |
|
Failed |
string |
|
Succeeded |
string |
|
Updating |
string |
KnownDataCollectionRuleResourceKind
The kind of the resource.
Name | Type | Description |
---|---|---|
Linux |
string |
|
Windows |
string |
KnownDataFlowStreams
List of streams for this data flow.
Name | Type | Description |
---|---|---|
Microsoft-Event |
string |
|
Microsoft-InsightsMetrics |
string |
|
Microsoft-Perf |
string |
|
Microsoft-Syslog |
string |
|
Microsoft-WindowsEvent |
string |
KnownExtensionDataSourceStreams
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.
Name | Type | Description |
---|---|---|
Microsoft-Event |
string |
|
Microsoft-InsightsMetrics |
string |
|
Microsoft-Perf |
string |
|
Microsoft-Syslog |
string |
|
Microsoft-WindowsEvent |
string |
KnownLogFilesDataSourceFormat
The data format of the log files
Name | Type | Description |
---|---|---|
json |
string |
|
text |
string |
KnownLogFileTextSettingsRecordStartTimestampFormat
One of the supported timestamp formats
Name | Type | Description |
---|---|---|
ISO 8601 |
string |
|
M/D/YYYY HH:MM:SS AM/PM |
string |
|
MMM d hh:mm:ss |
string |
|
Mon DD, YYYY HH:MM:SS |
string |
|
YYYY-MM-DD HH:MM:SS |
string |
|
dd/MMM/yyyy:HH:mm:ss zzz |
string |
|
ddMMyy HH:mm:ss |
string |
|
yyMMdd HH:mm:ss |
string |
|
yyyy-MM-ddTHH:mm:ssK |
string |
KnownPerfCounterDataSourceStreams
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.
Name | Type | Description |
---|---|---|
Microsoft-InsightsMetrics |
string |
|
Microsoft-Perf |
string |
KnownPrometheusForwarderDataSourceStreams
List of streams that this data source will be sent to.
Name | Type | Description |
---|---|---|
Microsoft-PrometheusMetrics |
string |
KnownStorageBlobLookupType
The type of lookup to perform on the blob
Name | Type | Description |
---|---|---|
Cidr |
string |
|
String |
string |
KnownSyslogDataSourceFacilityNames
The list of facility names.
Name | Type | Description |
---|---|---|
* |
string |
|
alert |
string |
|
audit |
string |
|
auth |
string |
|
authpriv |
string |
|
clock |
string |
|
cron |
string |
|
daemon |
string |
|
ftp |
string |
|
kern |
string |
|
local0 |
string |
|
local1 |
string |
|
local2 |
string |
|
local3 |
string |
|
local4 |
string |
|
local5 |
string |
|
local6 |
string |
|
local7 |
string |
|
lpr |
string |
|
string |
||
mark |
string |
|
news |
string |
|
nopri |
string |
|
ntp |
string |
|
syslog |
string |
|
user |
string |
|
uucp |
string |
KnownSyslogDataSourceLogLevels
The log levels to collect.
Name | Type | Description |
---|---|---|
* |
string |
|
Alert |
string |
|
Critical |
string |
|
Debug |
string |
|
Emergency |
string |
|
Error |
string |
|
Info |
string |
|
Notice |
string |
|
Warning |
string |
KnownSyslogDataSourceStreams
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.
Name | Type | Description |
---|---|---|
Microsoft-Syslog |
string |
KnownWindowsEventLogDataSourceStreams
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.
Name | Type | Description |
---|---|---|
Microsoft-Event |
string |
|
Microsoft-WindowsEvent |
string |
KnownWindowsFirewallLogsDataSourceProfileFilter
Firewall logs profile filter
Name | Type | Description |
---|---|---|
Domain |
string |
|
Private |
string |
|
Public |
string |
LogAnalyticsDestination
Log Analytics destination.
Name | Type | Description |
---|---|---|
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
workspaceId |
string |
The Customer ID of the Log Analytics workspace. |
workspaceResourceId |
string |
The resource ID of the Log Analytics workspace. |
LogFilesDataSource
Definition of which custom log files will be collected by this data collection rule
Name | Type | Description |
---|---|---|
filePatterns |
string[] |
File Patterns where the log files are located |
format |
The data format of the log files |
|
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
settings |
The log files specific settings. |
|
streams |
string[] |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data source |
transformKql |
string |
The KQL query to transform the data source. |
ManagedServiceIdentityType
Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).
Name | Type | Description |
---|---|---|
None |
string |
|
SystemAssigned |
string |
|
SystemAssigned,UserAssigned |
string |
|
UserAssigned |
string |
Metadata
Metadata about the resource
Name | Type | Description |
---|---|---|
provisionedBy |
string |
Azure offering managing this resource on-behalf-of customer. |
provisionedByImmutableId |
string |
Immutable Id of azure offering managing this resource on-behalf-of customer. |
provisionedByResourceId |
string |
Resource Id of azure offering managing this resource on-behalf-of customer. |
MicrosoftFabricDestination
Microsoft Fabric destination (non-Azure).
Name | Type | Description |
---|---|---|
artifactId |
string |
The artifact id of the Microsoft Fabric resource. |
databaseName |
string |
The name of the database to which data will be ingested. |
ingestionUri |
string |
The ingestion uri of the Microsoft Fabric resource. |
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
tenantId |
string |
The tenant id of the Microsoft Fabric resource. |
MonitoringAccountDestination
Monitoring account destination.
Name | Type | Description |
---|---|---|
accountId |
string |
The immutable ID of the account. |
accountResourceId |
string |
The resource ID of the monitoring account. |
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
PerfCounterDataSource
Definition of which performance counters will be collected and how they will be collected by this data collection rule. Collected from both Windows and Linux machines where the counter is present.
Name | Type | Description |
---|---|---|
counterSpecifiers |
string[] |
A list of specifier names of the performance counters you want to collect. Use a wildcard (*) to collect a counter for all instances. To get a list of performance counters on Windows, run the command 'typeperf'. |
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
samplingFrequencyInSeconds |
integer |
The number of seconds between consecutive counter measurements (samples). |
streams |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
|
transformKql |
string |
The KQL query to transform the data source. |
PlatformTelemetryDataSource
Definition of platform telemetry data source configuration
Name | Type | Description |
---|---|---|
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
streams |
string[] |
List of platform telemetry streams to collect |
PrometheusForwarderDataSource
Definition of Prometheus metrics forwarding configuration.
Name | Type | Description |
---|---|---|
labelIncludeFilter |
object |
The list of label inclusion filters in the form of label "name-value" pairs. Currently only one label is supported: 'microsoft_metrics_include_label'. Label values are matched case-insensitively. |
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
streams |
List of streams that this data source will be sent to. |
References
Defines all the references that may be used in other sections of the DCR
Name | Type | Description |
---|---|---|
enrichmentData |
All the enrichment data sources referenced in data flows |
Settings
The log files specific settings.
Name | Type | Description |
---|---|---|
text |
Text settings |
StorageBlob
Name | Type | Description |
---|---|---|
blobUrl |
string |
Url of the storage blob |
lookupType |
The type of lookup to perform on the blob |
|
name |
string |
The name of the enrichment data source used as an alias when referencing this data source in data flows |
resourceId |
string |
Resource Id of the storage account that hosts the blob |
StorageBlobDestination
Name | Type | Description |
---|---|---|
containerName |
string |
The container name of the Storage Blob. |
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
storageAccountResourceId |
string |
The resource ID of the storage account. |
StorageTableDestination
Name | Type | Description |
---|---|---|
name |
string |
A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
storageAccountResourceId |
string |
The resource ID of the storage account. |
tableName |
string |
The name of the Storage Table. |
StreamDeclaration
Declaration of a custom stream.
Name | Type | Description |
---|---|---|
columns |
List of columns used by data in this stream. |
SyslogDataSource
Definition of which syslog data will be collected and how it will be collected. Only collected from Linux machines.
Name | Type | Description |
---|---|---|
facilityNames |
The list of facility names. |
|
logLevels |
The log levels to collect. |
|
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
streams |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
|
transformKql |
string |
The KQL query to transform the data source. |
SystemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
Text
Text settings
Name | Type | Description |
---|---|---|
recordStartTimestampFormat |
One of the supported timestamp formats |
UserAssignedIdentity
User assigned identity properties
Name | Type | Description |
---|---|---|
clientId |
string |
The client ID of the assigned identity. |
principalId |
string |
The principal ID of the assigned identity. |
WindowsEventLogDataSource
Definition of which Windows Event Log events will be collected and how they will be collected. Only collected from Windows machines.
Name | Type | Description |
---|---|---|
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
streams |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
|
transformKql |
string |
The KQL query to transform the data source. |
xPathQueries |
string[] |
A list of Windows Event Log queries in XPATH format. |
WindowsFirewallLogsDataSource
Enables Firewall logs to be collected by this data collection rule.
Name | Type | Description |
---|---|---|
name |
string |
A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
profileFilter |
Firewall logs profile filter |
|
streams |
string[] |
Firewall logs streams |