Share via


az monitor data-collection rule windows-event-log

Note

This reference is part of the monitor-control-service extension for the Azure CLI (version 2.61.0 or higher). The extension will automatically install the first time you run an az monitor data-collection rule windows-event-log command. Learn more about extensions.

Manage Windows Event Log data source.

Commands

Name Description Type Status
az monitor data-collection rule windows-event-log add

Add a Windows Event Log data source.

Extension GA
az monitor data-collection rule windows-event-log delete

Delete a Windows Event Log data source.

Extension GA
az monitor data-collection rule windows-event-log list

List Windows Event Log data sources.

Extension GA
az monitor data-collection rule windows-event-log show

Show a Windows Event Log data source.

Extension GA
az monitor data-collection rule windows-event-log update

Update a Windows Event Log data source.

Extension GA

az monitor data-collection rule windows-event-log add

Add a Windows Event Log data source.

az monitor data-collection rule windows-event-log add --data-collection-rule-name
                                                      --name
                                                      --resource-group
                                                      [--streams]
                                                      [--transform-kql]
                                                      [--x-path-queries]

Examples

Add a Windows Event Log data source

az monitor data-collection rule windows-event-log add --rule-name myCollectionRule --resource-group myResourceGroup --name appTeam1AppEvents --streams Microsoft-WindowsEvent --x-path-queries "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]" "System![System[(Level = 1 or Level = 2 or Level = 3)]]"

Required Parameters

--data-collection-rule-name --rule-name

The name of the data collection rule. The name is case insensitive.

--name -n

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--streams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--transform-kql

The KQL query to transform the data source.

--x-path-queries

A list of Windows Event Log queries in XPATH format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule windows-event-log delete

Delete a Windows Event Log data source.

az monitor data-collection rule windows-event-log delete --data-collection-rule-name
                                                         --name
                                                         --resource-group

Examples

Delete a Windows Event Log data source

az monitor data-collection rule windows-event-log delete --rule-name myCollectionRule --resource-group myResourceGroup --name appTeam1AppEvents

Required Parameters

--data-collection-rule-name --rule-name

The name of the data collection rule. The name is case insensitive.

--name -n

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule windows-event-log list

List Windows Event Log data sources.

az monitor data-collection rule windows-event-log list --data-collection-rule-name
                                                       --resource-group

Examples

List Windows Event Log data sources

az monitor data-collection rule windows-event-log list --rule-name myCollectionRule --resource-group myResourceGroup

Required Parameters

--data-collection-rule-name --rule-name

The name of the data collection rule. The name is case insensitive.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule windows-event-log show

Show a Windows Event Log data source.

az monitor data-collection rule windows-event-log show --data-collection-rule-name
                                                       --name
                                                       --resource-group

Examples

Show a Windows Event Log data source

az monitor data-collection rule windows-event-log show --rule-name myCollectionRule --resource-group myResourceGroup --name appTeam1AppEvents

Required Parameters

--data-collection-rule-name --rule-name

The name of the data collection rule. The name is case insensitive.

--name -n

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az monitor data-collection rule windows-event-log update

Update a Windows Event Log data source.

az monitor data-collection rule windows-event-log update --data-collection-rule-name
                                                         --name
                                                         --resource-group
                                                         [--add]
                                                         [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                                         [--remove]
                                                         [--set]
                                                         [--streams]
                                                         [--transform-kql]
                                                         [--x-path-queries]

Examples

Update a Windows Event Log data source

az monitor data-collection rule windows-event-log update --rule-name myCollectionRule --resource-group myResourceGroup --name appTeam1AppEvents --x-path-queries "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"

Required Parameters

--data-collection-rule-name --rule-name

The name of the data collection rule. The name is case insensitive.

--name -n

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

--streams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--transform-kql

The KQL query to transform the data source.

--x-path-queries

A list of Windows Event Log queries in XPATH format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.