Windows diagnostics extension schema

Azure Diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system and workloads of Azure compute resources. This article details the schema used for configuration of the diagnostics extension on Windows virtual machines and other compute resources.

Note

The schema in this article is valid for versions 1.3 and newer (Azure SDK 2.4 and newer). Newer configuration sections are commented to show in what version they were added. Version 1.0 and 1.2 of the schema have been archived and no longer available.

Public configuration file schema

Download the public configuration file schema definition by executing the following PowerShell command:

(Get-AzureServiceAvailableExtension -ExtensionName 'PaaSDiagnostics' -ProviderNamespace 'Microsoft.Azure.Diagnostics').PublicConfigurationSchema | Out-File –Encoding utf8 -FilePath 'C:\temp\WadConfig.xsd'  

Common Attribute Types

scheduledTransferPeriod attribute appears in several elements. It is the interval between scheduled transfers to storage rounded up to the nearest minute. The value is an XML “Duration Data Type.”

DiagnosticsConfiguration Element

Tree: Root - DiagnosticsConfiguration

Added in version 1.3.

The top-level element of the diagnostics configuration file.

Attribute xmlns - The XML namespace for the diagnostics configuration file is:
http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration

Child Elements Description
PublicConfig Required. See description elsewhere on this page.
PrivateConfig Optional. See description elsewhere on this page.
IsEnabled Boolean. See description elsewhere on this page.

PublicConfig Element

Tree: Root - DiagnosticsConfiguration - PublicConfig

Describes the public diagnostics configuration.

Child Elements Description
WadCfg Required. See description elsewhere on this page.
StorageAccount The name of the Azure Storage account to store the data in. May also be specified as a parameter when executing the Set-AzureServiceDiagnosticsExtension cmdlet.
StorageType Can be Table, Blob, or TableAndBlob. Table is default. When TableAndBlob is chosen, diagnostic data is written twice -- once to each type.
LocalResourceDirectory The directory on the virtual machine where the Monitoring Agent stores event data. If not, set, the default directory is used:

For a Worker/web role: C:\Resources\<guid>\directory\<guid>.<RoleName.DiagnosticStore\

For a Virtual Machine: C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Diagnostics.IaaSDiagnostics\<WADVersion>\WAD<WADVersion>

Required attributes are:

- path - The directory on the system to be used by Azure Diagnostics.

- expandEnvironment - Controls whether environment variables are expanded in the path name.

WadCFG Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG

Identifies and configures the telemetry data to be collected.

DiagnosticMonitorConfiguration Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration

Required

Attributes Description
overallQuotaInMB The maximum amount of local disk space that may be consumed by the various types of diagnostic data collected by Azure Diagnostics. The default setting is 4096 MB.
useProxyServer Configure Azure Diagnostics to use the proxy server settings as set in IE settings.
sinks Added in 1.5. Optional. Points to a sink location to also send diagnostic data for all child elements that support sinks. Sink example is Application Insights or Event Hubs. Note you need to add the resourceId property under the Metrics element if you want events uploaded to Event Hubs to have a resource ID.



Child Elements Description
CrashDumps See description elsewhere on this page.
DiagnosticInfrastructureLogs Enable collection of logs generated by Azure Diagnostics. The diagnostic infrastructure logs are useful for troubleshooting the diagnostics system itself. Optional attributes are:

- scheduledTransferLogLevelFilter - Configures the minimum severity level of the logs collected.

- scheduledTransferPeriod - The interval between scheduled transfers to storage rounded up to the nearest minute. The value is an XML “Duration Data Type.”
Directories See description elsewhere on this page.
EtwProviders See description elsewhere on this page.
Metrics See description elsewhere on this page.
PerformanceCounters See description elsewhere on this page.
WindowsEventLog See description elsewhere on this page.
DockerSources See description elsewhere on this page.

CrashDumps Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - CrashDumps

Enable the collection of crash dumps.

Attributes Description
containerName Optional. The name of the blob container in your Azure Storage account to be used to store crash dumps.
crashDumpType Optional. Configures Azure Diagnostics to collect mini or full crash dumps.
directoryQuotaPercentage Optional. Configures the percentage of overallQuotaInMB to be reserved for crash dumps on the VM.
Child Elements Description
CrashDumpConfiguration Required. Defines configuration values for each process.

The following attribute is also required:

processName - The name of the process you want Azure Diagnostics to collect a crash dump for.

Directories Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - Directories

Enables the collection of the contents of a directory, IIS failed access request logs and/or IIS logs.

Optional scheduledTransferPeriod attribute. See explanation earlier.

Child Elements Description
IISLogs Including this element in the configuration enables the collection of IIS logs:

containerName - The name of the blob container in your Azure Storage account to be used to store the IIS logs.
FailedRequestLogs Including this element in the configuration enables collection of logs about failed requests to an IIS site or application. You must also enable tracing options under system.WebServer in Web.config.
DataSources A list of directories to monitor.

DataSources Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - Directories - DataSources

A list of directories to monitor.

Child Elements Description
DirectoryConfiguration Required. Required attribute:

containerName - The name of the blob container in your Azure Storage account that to be used to store the log files.

DirectoryConfiguration Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - Directories - DataSources - DirectoryConfiguration

May include either the Absolute or LocalResource element but not both.

Child Elements Description
Absolute The absolute path to the directory to monitor. The following attributes are required:

- Path - The absolute path to the directory to monitor.

- expandEnvironment - Configures whether environment variables in Path are expanded.
LocalResource The path relative to a local resource to monitor. Required attributes are:

- Name - The local resource that contains the directory to monitor

- relativePath - The path relative to Name that contains the directory to monitor

EtwProviders Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - EtwProviders

Configures collection of ETW events from EventSource and/or ETW Manifest based providers.

Child Elements Description
EtwEventSourceProviderConfiguration Configures collection of events generated from EventSource Class. Required attribute:

provider - The class name of the EventSource event.

Optional attributes are:

- scheduledTransferLogLevelFilter - The minimum severity level to transfer to your storage account.

- scheduledTransferPeriod - The interval between scheduled transfers to storage rounded up to the nearest minute. The value is an XML “Duration Data Type.”
EtwManifestProviderConfiguration Required attribute:

provider - The GUID of the event provider

Optional attributes are:

- scheduledTransferLogLevelFilter - The minimum severity level to transfer to your storage account.

- scheduledTransferPeriod - The interval between scheduled transfers to storage rounded up to the nearest minute. The value is an XML “Duration Data Type.”

EtwEventSourceProviderConfiguration Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - EtwProviders- EtwEventSourceProviderConfiguration

Configures collection of events generated from EventSource Class.

Child Elements Description
DefaultEvents Optional attribute:

eventDestination - The name of the table to store the events in
Event Required attribute:

id - The id of the event.

Optional attribute:

eventDestination - The name of the table to store the events in

EtwManifestProviderConfiguration Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - EtwProviders - EtwManifestProviderConfiguration

Child Elements Description
DefaultEvents Optional attribute:

eventDestination - The name of the table to store the events in
Event Required attribute:

id - The id of the event.

Optional attribute:

eventDestination - The name of the table to store the events in

Metrics Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - Metrics

Enables you to generate a performance counter table that is optimized for fast queries. Each performance counter that is defined in the PerformanceCounters element is stored in the Metrics table in addition to the Performance Counter table.

The resourceId attribute is required. The resource ID of the Virtual Machine or Virtual Machine Scale Set you are deploying Azure Diagnostics to. Get the resourceID from the Azure portal. Select Browse -> Resource Groups -> <Name>. Click the Properties tile and copy the value from the ID field. This resourceID property is used for both sending custom metrics and for adding a resourceID property to data sent to Event Hubs. Note you need to add the resourceId property under the Metrics element if you want events uploaded to Event Hubs to have a resource ID.

Child Elements Description
MetricAggregation Required attribute:

scheduledTransferPeriod - The interval between scheduled transfers to storage rounded up to the nearest minute. The value is an XML “Duration Data Type.”

PerformanceCounters Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - PerformanceCounters

Enables the collection of performance counters.

Optional attribute:

Optional scheduledTransferPeriod attribute. See explanation earlier.

Child Element Description
PerformanceCounterConfiguration The following attributes are required:

- counterSpecifier - The name of the performance counter. For example, \Processor(_Total)\% Processor Time. To get a list of performance counters on your host, run the command typeperf.

- sampleRate - How often the counter should be sampled.

Optional attribute:

unit - The unit of measure of the counter. Values are available at UnitType Class
sinks Added in 1.5. Optional. Points to a sink location to also send diagnostic data. For example, Azure Monitor or Event Hubs. Note you need to add the resourceId property under the Metrics element if you want events uploaded to Event Hubs to have a resource ID.

WindowsEventLog Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - WindowsEventLog

Enables the collection of Windows Event Logs.

Optional scheduledTransferPeriod attribute. See explanation earlier.

Child Element Description
DataSource The Windows Event logs to collect. Required attribute:

name - The XPath query describing the Windows events to be collected. For example:

Application!*[System[(Level <=3)]], System!*[System[(Level <=3)]], System!*[System[Provider[@Name='Microsoft Antimalware']]], Security!*[System[(Level <= 3)]

To collect all events, specify "*"
sinks Added in 1.5. Optional. Points to a sink location to also send diagnostic data for all child elements that support sinks. Sink example is Application Insights or Event Hubs.

Logs Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - Logs

Present in version 1.0 and 1.1. Missing in 1.2. Added back in 1.3.

Defines the buffer configuration for basic Azure logs.

Attribute Type Description
bufferQuotaInMB unsignedInt Optional. Specifies the maximum amount of file system storage that is available for the specified data.

The default is 0.
scheduledTransferLogLevelFilter string Optional. Specifies the minimum severity level for log entries that are transferred. The default value is Undefined, which transfers all logs. Other possible values (in order of most to least information) are Verbose, Information, Warning, Error, and Critical.
scheduledTransferPeriod duration Optional. Specifies the interval between scheduled transfers of data, rounded up to the nearest minute.

The default is PT0S.
sinks string Added in 1.5. Optional. Points to a sink location to also send diagnostic data. For example, Application Insights or Event Hubs. Note you need to add the resourceId property under the Metrics element if you want events uploaded to Event Hubs to have a resource ID.

DockerSources

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - DiagnosticMonitorConfiguration - DockerSources

Added in 1.9.

Element Name Description
Stats Tells the system to collect stats for Docker containers

SinksConfig Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - SinksConfig

A list of locations to send diagnostics data to and the configuration associated with those locations.

Element Name Description
Sink See description elsewhere on this page.

Sink Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - SinksConfig - Sink

Added in version 1.5.

Defines locations to send diagnostic data to. For example, the Application Insights service.

Attribute Type Description
name string A string identifying the sinkname.
Element Type Description
Application Insights string Used only when sending data to Application Insights. Contain the Instrumentation Key for an active Application Insights account that you have access to.
Channels string One for each additional filtering that stream that you

Channels Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - SinksConfig - Sink - Channels

Added in version 1.5.

Defines filters for streams of log data passing through a sink.

Element Type Description
Channel string See description elsewhere on this page.

Channel Element

Tree: Root - DiagnosticsConfiguration - PublicConfig - WadCFG - SinksConfig - Sink - Channels - Channel

Added in version 1.5.

Defines locations to send diagnostic data to. For example, the Application Insights service.

Attributes Type Description
logLevel string Specifies the minimum severity level for log entries that are transferred. The default value is Undefined, which transfers all logs. Other possible values (in order of most to least information) are Verbose, Information, Warning, Error, and Critical.
name string A unique name of the channel to refer to

PrivateConfig Element

Tree: Root - DiagnosticsConfiguration - PrivateConfig

Added in version 1.3.

Optional

Stores the private details of the storage account (name, key, and endpoint). This information is sent to the virtual machine, but cannot be retrieved from it.

Child Elements Description
StorageAccount The storage account to use. The following attributes are required

- name - The name of the storage account.

- key - The key to the storage account.

- endpoint - The endpoint to access the storage account.

-sasToken (added 1.8.1)- You can specify an SAS token instead of a storage account key in the private config. If provided, the storage account key is ignored.
Requirements for the SAS Token:
- Supports account SAS token only
- b, t service types are required.
- a, c, u, w permissions are required.
- c, o resource types are required.
- Supports the HTTPS protocol only
- Start and expiry time must be valid.

IsEnabled Element

Tree: Root - DiagnosticsConfiguration - IsEnabled

Boolean. Use true to enable the diagnostics or false to disable the diagnostics.

Example configuration

Following is a complete sample configuration for Windows diagnostics extension shown in both JSON and XML.

JSON

The PublicConfig and PrivateConfig are separated because in most JSON usage cases, they are passed as different variables. These cases include Resource Manager templates, PowerShell, and Visual Studio.

Note

The public config Azure Monitor sink definition has two properties, resourceId and region. These are only required for Classic VMs and Classic Cloud services. The region property should not be used for other resources, the resourceId property is used on ARM VMs to populate the resourceID field in logs uploaded to Event Hubs.

"PublicConfig" {
    "WadCfg": {
        "DiagnosticMonitorConfiguration": {
            "overallQuotaInMB": 10000,
            "DiagnosticInfrastructureLogs": {
                "scheduledTransferLogLevelFilter": "Error"
            },
            "PerformanceCounters": {
                "scheduledTransferPeriod": "PT1M",
                "sinks": "AzureMonitorSink",
                "PerformanceCounterConfiguration": [
                    {
                        "counterSpecifier": "\\Processor(_Total)\\% Processor Time",
                        "sampleRate": "PT1M",
                        "unit": "percent"
                    }
                ]
            },
            "Directories": {
                "scheduledTransferPeriod": "PT5M",
                "IISLogs": {
                    "containerName": "iislogs"
                },
                "FailedRequestLogs": {
                    "containerName": "iisfailed"
                },
                "DataSources": [
                    {
                        "containerName": "mynewprocess",
                        "Absolute": {
                            "path": "C:\\MyNewProcess",
                            "expandEnvironment": false
                        }
                    },
                    {
                        "containerName": "badapp",
                        "Absolute": {
                            "path": "%SYSTEMDRIVE%\\BadApp",
                            "expandEnvironment": true
                        }
                    },
                    {
                        "containerName": "goodapp",
                        "LocalResource": {
                            "relativePath": "..\\PeanutButter",
                            "name": "Skippy"
                        }
                    }
                ]
            },
            "EtwProviders": {
                "sinks": "",
                "EtwEventSourceProviderConfiguration": [
                    {
                        "scheduledTransferPeriod": "PT5M",
                        "provider": "MyProviderClass",
                        "Event": [
                            {
                                "id": 0
                            },
                            {
                                "id": 1,
                                "eventDestination": "errorTable"
                            }
                        ],
                        "DefaultEvents": {
                        }
                    }
                ],
                "EtwManifestProviderConfiguration": [
                    {
                        "scheduledTransferPeriod": "PT2M",
                        "scheduledTransferLogLevelFilter": "Information",
                        "provider": "5974b00b-84c2-44bc-9e58-3a2451b4e3ad",
                        "Event": [
                            {
                                "id": 0
                            }
                        ],
                        "DefaultEvents": {
                        }
                    }
                ]
            },
            "WindowsEventLog": {
                "scheduledTransferPeriod": "PT5M",
                "DataSource": [
                    {
                        "name": "System!*[System[Provider[@Name='Microsoft Antimalware']]]"
                    },
                    {
                        "name": "System!*[System[Provider[@Name='NTFS'] and (EventID=55)]]"
                    },
                    {
                        "name": "System!*[System[Provider[@Name='disk'] and (EventID=7 or EventID=52 or EventID=55)]]"
                    }
                ]
            },
            "Logs": {
                "scheduledTransferPeriod": "PT1M",
                "scheduledTransferLogLevelFilter": "Verbose",
                "sinks": "ApplicationInsights.AppLogs"
            },
            "CrashDumps": {
                "directoryQuotaPercentage": 30,
                "dumpType": "Mini",
                "containerName": "wad-crashdumps",
                "CrashDumpConfiguration": [
                    {
                        "processName": "mynewprocess.exe"
                    },
                    {
                        "processName": "badapp.exe"
                    }
                ]
            }
        },
        "SinksConfig": {
            "Sink": [
                {
                    "name": "AzureMonitorSink",
                    "AzureMonitor":
                    {
                        "ResourceId": "{insert resourceId if a classic VM or cloud service, else property not needed}",
                        "Region": "{insert Azure region of resource if a classic VM or cloud service, else property not needed}"
                    }
                },
                {
                    "name": "ApplicationInsights",
                    "ApplicationInsights": "{Insert InstrumentationKey}",
                    "Channels": {
                        "Channel": [
                            {
                                "logLevel": "Error",
                                "name": "Errors"
                            },
                            {
                                "logLevel": "Verbose",
                                "name": "AppLogs"
                            }
                        ]
                    }
                },
                {
                    "name": "EventHub",
                    "EventHub": {
                        "Url": "https://myeventhub-ns.servicebus.windows.net/diageventhub",
                        "SharedAccessKeyName": "SendRule",
                        "usePublisherId": false
                    }
                },
                {
                    "name": "secondaryEventHub",
                    "EventHub": {
                        "Url": "https://myeventhub-ns.servicebus.windows.net/secondarydiageventhub",
                        "SharedAccessKeyName": "SendRule",
                        "usePublisherId": false
                    }
                },
                {
                    "name": "secondaryStorageAccount",
                    "StorageAccount": {
                        "name": "secondarydiagstorageaccount",
                        "endpoint": "https://core.windows.net"
                    }
                }
            ]
        }
    },
    "StorageAccount": "diagstorageaccount",
    "StorageType": "TableAndBlob"
}

Note

The private config Azure Monitor sink definition has two properties, PrincipalId and Secret. These are only required for Classic VMs and Classic Cloud services. These properties should not be used for other resources.

"PrivateConfig" {
    "storageAccountName": "diagstorageaccount",
    "storageAccountKey": "{base64 encoded key}",
    "storageAccountEndPoint": "https://core.windows.net",
    "storageAccountSasToken": "{sas token}",
    "EventHub": {
        "Url": "https://myeventhub-ns.servicebus.windows.net/diageventhub",
        "SharedAccessKeyName": "SendRule",
        "SharedAccessKey": "{base64 encoded key}"
    },
    "AzureMonitorAccount": {
        "ServicePrincipalMeta": {
            "PrincipalId": "{Insert service principal client Id}",
            "Secret": "{Insert service principal client secret}"
        }
    },
    "SecondaryStorageAccounts": {
        "StorageAccount": [
            {
                "name": "secondarydiagstorageaccount",
                "key": "{base64 encoded key}",
                "endpoint": "https://core.windows.net",
                "sasToken": "{sas token}"
            }
        ]
    },
    "SecondaryEventHubs": {
        "EventHub": [
            {
                "Url": "https://myeventhub-ns.servicebus.windows.net/secondarydiageventhub",
                "SharedAccessKeyName": "SendRule",
                "SharedAccessKey": "{base64 encoded key}"
            }
        ]
    }
}

XML

<?xml version="1.0" encoding="utf-8"?>  
<DiagnosticsConfiguration  xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration">   
  <PublicConfig>  
    <WadCfg>  
      <DiagnosticMonitorConfiguration overallQuotaInMB="10000">  

        <PerformanceCounters scheduledTransferPeriod="PT1M" sinks="AzureMonitorSink">  
          <PerformanceCounterConfiguration counterSpecifier="\Processor(_Total)\% Processor Time" sampleRate="PT1M" unit="percent" />  
        </PerformanceCounters>  

        <Directories scheduledTransferPeriod="PT5M">  
          <IISLogs containerName="iislogs" />  
          <FailedRequestLogs containerName="iisfailed" />  

          <DataSources>  
            <DirectoryConfiguration containerName="mynewprocess">  
              <Absolute path="C:\MyNewProcess" expandEnvironment="false" />  
            </DirectoryConfiguration>  
            <DirectoryConfiguration containerName="badapp">  
              <Absolute path="%SYSTEMDRIVE%\BadApp" expandEnvironment="true" />  
            </DirectoryConfiguration>  
            <DirectoryConfiguration containerName="goodapp">  
              <LocalResource name="Skippy" relativePath="..\PeanutButter"/>  
            </DirectoryConfiguration>  
          </DataSources>  

        </Directories>  

        <EtwProviders>  
          <EtwEventSourceProviderConfiguration   
                       provider="MyProviderClass"   
                       scheduledTransferPeriod="PT5M">  
            <Event id="0"/>  
            <Event id="1" eventDestination="errorTable"/>  
            <DefaultEvents />  
          </EtwEventSourceProviderConfiguration>  
          <EtwManifestProviderConfiguration provider="5974b00b-84c2-44bc-9e58-3a2451b4e3ad" scheduledTransferLogLevelFilter="Information" scheduledTransferPeriod="PT2M">  
            <Event id="0"/>  
            <DefaultEvents eventDestination="defaultTable"/>  
          </EtwManifestProviderConfiguration>  
        </EtwProviders>  

        <WindowsEventLog scheduledTransferPeriod="PT5M">  
          <DataSource name="System!*[System[Provider[@Name='Microsoft Antimalware']]]"/>  
          <DataSource name="System!*[System[Provider[@Name='NTFS'] and (EventID=55)]]" />  
          <DataSource name="System!*[System[Provider[@Name='disk'] and (EventID=7 or EventID=52 or EventID=55)]]" />  
        </WindowsEventLog>  

        <Logs  bufferQuotaInMB="1024"   
             scheduledTransferPeriod="PT1M"   
             scheduledTransferLogLevelFilter="Verbose"   
             sinks="ApplicationInsights.AppLogs"/>  <!-- sinks attribute added in 1.5 -->  

        <CrashDumps containerName="wad-crashdumps" directoryQuotaPercentage="30" dumpType="Mini">  
          <CrashDumpConfiguration processName="mynewprocess.exe" />  
          <CrashDumpConfiguration processName="badapp.exe"/>  
        </CrashDumps>  

        <DockerSources> <!-- Added in 1.9 -->
          <Stats enabled="true" sampleRate="PT1M" scheduledTransferPeriod="PT1M" />
        </DockerSources>

      </DiagnosticMonitorConfiguration>  

      <SinksConfig>   <!-- Added in 1.5 -->  
        <Sink name="AzureMonitorSink">
            <AzureMonitor> <!-- Added in 1.11 -->
                <resourceId>{insert resourceId}</ResourceId> <!-- Parameter only needed for classic VMs and Classic Cloud Services, exclude VMSS and Resource Manager VMs-->
                <Region>{insert Azure region of resource}</Region> <!-- Parameter only needed for classic VMs and Classic Cloud Services, exclude VMSS and Resource Manager VMs -->
            </AzureMonitor>
        </Sink>
        <Sink name="ApplicationInsights">   
          <ApplicationInsights>{Insert InstrumentationKey}</ApplicationInsights>   
          <Channels>   
            <Channel logLevel="Error" name="Errors"  />   
            <Channel logLevel="Verbose" name="AppLogs"  />   
          </Channels>   
        </Sink>   
        <Sink name="EventHub"> <!-- Added in 1.7 -->
          <EventHub Url="https://myeventhub-ns.servicebus.windows.net/diageventhub" SharedAccessKeyName="SendRule" usePublisherId="false" />
        </Sink>
        <Sink name="secondaryEventHub"> <!-- Added in 1.7 -->
          <EventHub Url="https://myeventhub-ns.servicebus.windows.net/secondarydiageventhub" SharedAccessKeyName="SendRule" usePublisherId="false" />
        </Sink>
        <Sink name="secondaryStorageAccount"> <!-- Added in 1.7 -->
          <StorageAccount name="secondarydiagstorageaccount" endpoint="https://core.windows.net" />
        </Sink>
   </SinksConfig>

  </WadCfg>  

  <StorageAccount>diagstorageaccount</StorageAccount>
  <StorageType>TableAndBlob</StorageType> <!-- Added in 1.8 -->  
  </PublicConfig>  

  <PrivateConfig>  <!-- Added in 1.3 -->  
    <StorageAccount name="" key="" endpoint="" sasToken="{sas token}"  />  <!-- sasToken in Private config added in 1.8.1 -->  
    <EventHub Url="https://myeventhub-ns.servicebus.windows.net/diageventhub" SharedAccessKeyName="SendRule" SharedAccessKey="{base64 encoded key}" />

    <AzureMonitorAccount>
        <ServicePrincipalMeta> <!-- Added in 1.11; only needed for classic VMs and Classic cloud services -->
            <PrincipalId>{Insert service principal clientId}</PrincipalId>
            <Secret>{Insert service principal client secret}</Secret>
        </ServicePrincipalMeta>
    </AzureMonitorAccount>

    <SecondaryStorageAccounts>
       <StorageAccount name="secondarydiagstorageaccount" key="{base64 encoded key}" endpoint="https://core.windows.net" sasToken="{sas token}" />
    </SecondaryStorageAccounts>

    <SecondaryEventHubs>
       <EventHub Url="https://myeventhub-ns.servicebus.windows.net/secondarydiageventhub" SharedAccessKeyName="SendRule" SharedAccessKey="{base64 encoded key}" />
    </SecondaryEventHubs>

  </PrivateConfig>  
  <IsEnabled>true</IsEnabled>  
</DiagnosticsConfiguration>  

Note

The public config Azure Monitor sink definition has two properties, resourceId and region. These are only required for Classic VMs and Classic Cloud services. These properties should not be used for Resource Manager Virtual Machines or Virtual Machine Scale sets. There is also an additional Private Config element for the Azure Monitor sink, that passes in a Principal Id and Secret. This is only required for Classic VMs and Classic Cloud Services. For Resource Manager VMs and VMSS the Azure Monitor definition in the private config element can be excluded.