Microsoft.Insights dataCollectionRules 2021-04-01
Bicep resource definition
The dataCollectionRules resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Insights/dataCollectionRules resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Insights/dataCollectionRules@2021-04-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
kind: 'string'
properties: {
dataFlows: [
{
destinations: [
'string'
]
streams: [
'string'
]
}
]
dataSources: {
extensions: [
{
extensionName: 'string'
extensionSettings: any()
inputDataSources: [
'string'
]
name: 'string'
streams: [
'string'
]
}
]
performanceCounters: [
{
counterSpecifiers: [
'string'
]
name: 'string'
samplingFrequencyInSeconds: int
streams: [
'string'
]
}
]
syslog: [
{
facilityNames: [
'string'
]
logLevels: [
'string'
]
name: 'string'
streams: 'Microsoft-Syslog'
}
]
windowsEventLogs: [
{
name: 'string'
streams: [
'string'
]
xPathQueries: [
'string'
]
}
]
}
description: 'string'
destinations: {
azureMonitorMetrics: {
name: 'string'
}
logAnalytics: [
{
name: 'string'
workspaceResourceId: 'string'
}
]
}
}
}
Property values
dataCollectionRules
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| location | The geo-location where the resource lives. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| kind | The kind of the resource. | 'Linux' 'Windows' |
| properties | Resource properties. | DataCollectionRuleResourceProperties |
DataCollectionRuleResourceProperties
| Name | Description | Value |
|---|---|---|
| dataFlows | The specification of data flows. | DataFlow[] |
| dataSources | The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. |
DataCollectionRuleDataSources |
| description | Description of the data collection rule. | string |
| destinations | The specification of destinations. | DataCollectionRuleDestinations |
DataFlow
| Name | Description | Value |
|---|---|---|
| destinations | List of destinations for this data flow. | string[] |
| streams | List of streams for this data flow. | String array containing any of: 'Microsoft-Event' 'Microsoft-InsightsMetrics' 'Microsoft-Perf' 'Microsoft-Syslog' 'Microsoft-WindowsEvent' |
DataCollectionRuleDataSources
| Name | Description | Value |
|---|---|---|
| extensions | The list of Azure VM extension data source configurations. | ExtensionDataSource[] |
| performanceCounters | The list of performance counter data source configurations. | PerfCounterDataSource[] |
| syslog | The list of Syslog data source configurations. | SyslogDataSource[] |
| windowsEventLogs | The list of Windows Event Log data source configurations. | WindowsEventLogDataSource[] |
ExtensionDataSource
| Name | Description | Value |
|---|---|---|
| extensionName | The name of the VM extension. | string (required) |
| extensionSettings | The extension settings. The format is specific for particular extension. | For Bicep, you can use the any() function. |
| inputDataSources | The list of data sources this extension needs data from. | string[] |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-Event' 'Microsoft-InsightsMetrics' 'Microsoft-Perf' 'Microsoft-Syslog' 'Microsoft-WindowsEvent' |
PerfCounterDataSource
| Name | Description | Value |
|---|---|---|
| counterSpecifiers | A list of specifier names of the performance counters you want to collect. Use a wildcard (*) to collect a counter for all instances. To get a list of performance counters on Windows, run the command 'typeperf'. |
string[] |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| samplingFrequencyInSeconds | The number of seconds between consecutive counter measurements (samples). | int |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-InsightsMetrics' 'Microsoft-Perf' |
SyslogDataSource
| Name | Description | Value |
|---|---|---|
| facilityNames | The list of facility names. | String array containing any of: '*' 'alert' 'audit' 'auth' 'authpriv' 'clock' 'cron' 'daemon' 'ftp' 'kern' 'local0' 'local1' 'local2' 'local3' 'local4' 'local5' 'local6' 'local7' 'lpr' 'mail' 'mark' 'news' 'nopri' 'ntp' 'syslog' 'user' 'uucp' |
| logLevels | The log levels to collect. | String array containing any of: '*' 'Alert' 'Critical' 'Debug' 'Emergency' 'Error' 'Info' 'Notice' 'Warning' |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-Syslog' |
WindowsEventLogDataSource
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-Event' 'Microsoft-WindowsEvent' |
| xPathQueries | A list of Windows Event Log queries in XPATH format. | string[] |
DataCollectionRuleDestinations
| Name | Description | Value |
|---|---|---|
| azureMonitorMetrics | Azure Monitor Metrics destination. | DestinationsSpecAzureMonitorMetrics |
| logAnalytics | List of Log Analytics destinations. | LogAnalyticsDestination[] |
DestinationsSpecAzureMonitorMetrics
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
string |
LogAnalyticsDestination
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
string |
| workspaceResourceId | The resource ID of the Log Analytics workspace. | string |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Deploy Darktrace Autoscaling vSensors |
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors |
| Data Collection Rule for Syslog |
This template creates a data collection rule defining the data source (Syslog) and the destination workspace. |
ARM template resource definition
The dataCollectionRules resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Insights/dataCollectionRules resource, add the following JSON to your template.
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-04-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"kind": "string",
"properties": {
"dataFlows": [
{
"destinations": [ "string" ],
"streams": [ "string" ]
}
],
"dataSources": {
"extensions": [
{
"extensionName": "string",
"extensionSettings": {},
"inputDataSources": [ "string" ],
"name": "string",
"streams": [ "string" ]
}
],
"performanceCounters": [
{
"counterSpecifiers": [ "string" ],
"name": "string",
"samplingFrequencyInSeconds": "int",
"streams": [ "string" ]
}
],
"syslog": [
{
"facilityNames": [ "string" ],
"logLevels": [ "string" ],
"name": "string",
"streams": "Microsoft-Syslog"
}
],
"windowsEventLogs": [
{
"name": "string",
"streams": [ "string" ],
"xPathQueries": [ "string" ]
}
]
},
"description": "string",
"destinations": {
"azureMonitorMetrics": {
"name": "string"
},
"logAnalytics": [
{
"name": "string",
"workspaceResourceId": "string"
}
]
}
}
}
Property values
dataCollectionRules
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Insights/dataCollectionRules' |
| apiVersion | The resource api version | '2021-04-01' |
| name | The resource name | string (required) |
| location | The geo-location where the resource lives. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| kind | The kind of the resource. | 'Linux' 'Windows' |
| properties | Resource properties. | DataCollectionRuleResourceProperties |
DataCollectionRuleResourceProperties
| Name | Description | Value |
|---|---|---|
| dataFlows | The specification of data flows. | DataFlow[] |
| dataSources | The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. |
DataCollectionRuleDataSources |
| description | Description of the data collection rule. | string |
| destinations | The specification of destinations. | DataCollectionRuleDestinations |
DataFlow
| Name | Description | Value |
|---|---|---|
| destinations | List of destinations for this data flow. | string[] |
| streams | List of streams for this data flow. | String array containing any of: 'Microsoft-Event' 'Microsoft-InsightsMetrics' 'Microsoft-Perf' 'Microsoft-Syslog' 'Microsoft-WindowsEvent' |
DataCollectionRuleDataSources
| Name | Description | Value |
|---|---|---|
| extensions | The list of Azure VM extension data source configurations. | ExtensionDataSource[] |
| performanceCounters | The list of performance counter data source configurations. | PerfCounterDataSource[] |
| syslog | The list of Syslog data source configurations. | SyslogDataSource[] |
| windowsEventLogs | The list of Windows Event Log data source configurations. | WindowsEventLogDataSource[] |
ExtensionDataSource
| Name | Description | Value |
|---|---|---|
| extensionName | The name of the VM extension. | string (required) |
| extensionSettings | The extension settings. The format is specific for particular extension. | |
| inputDataSources | The list of data sources this extension needs data from. | string[] |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-Event' 'Microsoft-InsightsMetrics' 'Microsoft-Perf' 'Microsoft-Syslog' 'Microsoft-WindowsEvent' |
PerfCounterDataSource
| Name | Description | Value |
|---|---|---|
| counterSpecifiers | A list of specifier names of the performance counters you want to collect. Use a wildcard (*) to collect a counter for all instances. To get a list of performance counters on Windows, run the command 'typeperf'. |
string[] |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| samplingFrequencyInSeconds | The number of seconds between consecutive counter measurements (samples). | int |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-InsightsMetrics' 'Microsoft-Perf' |
SyslogDataSource
| Name | Description | Value |
|---|---|---|
| facilityNames | The list of facility names. | String array containing any of: '*' 'alert' 'audit' 'auth' 'authpriv' 'clock' 'cron' 'daemon' 'ftp' 'kern' 'local0' 'local1' 'local2' 'local3' 'local4' 'local5' 'local6' 'local7' 'lpr' 'mail' 'mark' 'news' 'nopri' 'ntp' 'syslog' 'user' 'uucp' |
| logLevels | The log levels to collect. | String array containing any of: '*' 'Alert' 'Critical' 'Debug' 'Emergency' 'Error' 'Info' 'Notice' 'Warning' |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-Syslog' |
WindowsEventLogDataSource
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: 'Microsoft-Event' 'Microsoft-WindowsEvent' |
| xPathQueries | A list of Windows Event Log queries in XPATH format. | string[] |
DataCollectionRuleDestinations
| Name | Description | Value |
|---|---|---|
| azureMonitorMetrics | Azure Monitor Metrics destination. | DestinationsSpecAzureMonitorMetrics |
| logAnalytics | List of Log Analytics destinations. | LogAnalyticsDestination[] |
DestinationsSpecAzureMonitorMetrics
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
string |
LogAnalyticsDestination
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
string |
| workspaceResourceId | The resource ID of the Log Analytics workspace. | string |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Deploy Darktrace Autoscaling vSensors |
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors |
| Data Collection Rule for Syslog |
This template creates a data collection rule defining the data source (Syslog) and the destination workspace. |
Terraform (AzAPI provider) resource definition
The dataCollectionRules resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Insights/dataCollectionRules resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Insights/dataCollectionRules@2021-04-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
dataFlows = [
{
destinations = [
"string"
]
streams = [
"string"
]
}
]
dataSources = {
extensions = [
{
extensionName = "string"
inputDataSources = [
"string"
]
name = "string"
streams = [
"string"
]
}
]
performanceCounters = [
{
counterSpecifiers = [
"string"
]
name = "string"
samplingFrequencyInSeconds = int
streams = [
"string"
]
}
]
syslog = [
{
facilityNames = [
"string"
]
logLevels = [
"string"
]
name = "string"
streams = "Microsoft-Syslog"
}
]
windowsEventLogs = [
{
name = "string"
streams = [
"string"
]
xPathQueries = [
"string"
]
}
]
}
description = "string"
destinations = {
azureMonitorMetrics = {
name = "string"
}
logAnalytics = [
{
name = "string"
workspaceResourceId = "string"
}
]
}
}
kind = "string"
})
}
Property values
dataCollectionRules
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Insights/dataCollectionRules@2021-04-01" |
| name | The resource name | string (required) |
| location | The geo-location where the resource lives. | string (required) |
| parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. |
| kind | The kind of the resource. | "Linux" "Windows" |
| properties | Resource properties. | DataCollectionRuleResourceProperties |
DataCollectionRuleResourceProperties
| Name | Description | Value |
|---|---|---|
| dataFlows | The specification of data flows. | DataFlow[] |
| dataSources | The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. |
DataCollectionRuleDataSources |
| description | Description of the data collection rule. | string |
| destinations | The specification of destinations. | DataCollectionRuleDestinations |
DataFlow
| Name | Description | Value |
|---|---|---|
| destinations | List of destinations for this data flow. | string[] |
| streams | List of streams for this data flow. | String array containing any of: "Microsoft-Event" "Microsoft-InsightsMetrics" "Microsoft-Perf" "Microsoft-Syslog" "Microsoft-WindowsEvent" |
DataCollectionRuleDataSources
| Name | Description | Value |
|---|---|---|
| extensions | The list of Azure VM extension data source configurations. | ExtensionDataSource[] |
| performanceCounters | The list of performance counter data source configurations. | PerfCounterDataSource[] |
| syslog | The list of Syslog data source configurations. | SyslogDataSource[] |
| windowsEventLogs | The list of Windows Event Log data source configurations. | WindowsEventLogDataSource[] |
ExtensionDataSource
| Name | Description | Value |
|---|---|---|
| extensionName | The name of the VM extension. | string (required) |
| extensionSettings | The extension settings. The format is specific for particular extension. | |
| inputDataSources | The list of data sources this extension needs data from. | string[] |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: "Microsoft-Event" "Microsoft-InsightsMetrics" "Microsoft-Perf" "Microsoft-Syslog" "Microsoft-WindowsEvent" |
PerfCounterDataSource
| Name | Description | Value |
|---|---|---|
| counterSpecifiers | A list of specifier names of the performance counters you want to collect. Use a wildcard (*) to collect a counter for all instances. To get a list of performance counters on Windows, run the command 'typeperf'. |
string[] |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| samplingFrequencyInSeconds | The number of seconds between consecutive counter measurements (samples). | int |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: "Microsoft-InsightsMetrics" "Microsoft-Perf" |
SyslogDataSource
| Name | Description | Value |
|---|---|---|
| facilityNames | The list of facility names. | String array containing any of: "*" "alert" "audit" "auth" "authpriv" "clock" "cron" "daemon" "ftp" "kern" "local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7" "lpr" "mail" "mark" "news" "nopri" "ntp" "syslog" "user" "uucp" |
| logLevels | The log levels to collect. | String array containing any of: "*" "Alert" "Critical" "Debug" "Emergency" "Error" "Info" "Notice" "Warning" |
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: "Microsoft-Syslog" |
WindowsEventLogDataSource
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
string |
| streams | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
String array containing any of: "Microsoft-Event" "Microsoft-WindowsEvent" |
| xPathQueries | A list of Windows Event Log queries in XPATH format. | string[] |
DataCollectionRuleDestinations
| Name | Description | Value |
|---|---|---|
| azureMonitorMetrics | Azure Monitor Metrics destination. | DestinationsSpecAzureMonitorMetrics |
| logAnalytics | List of Log Analytics destinations. | LogAnalyticsDestination[] |
DestinationsSpecAzureMonitorMetrics
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
string |
LogAnalyticsDestination
| Name | Description | Value |
|---|---|---|
| name | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
string |
| workspaceResourceId | The resource ID of the Log Analytics workspace. | string |