你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
用于 Azure Monitor 中的 Log Analytics 工作区的资源管理器模板示例
本文包含用于在 Azure Monitor 中创建和配置 Log Analytics 工作区的 Azure 资源管理器模板示例。 每个示例都包含模板文件和参数文件,其中包含要提供给模板的示例值。
注意
有关可用示例的列表以及在 Azure 订阅中部署这些示例的指南,请参阅 Azure Monitor 资源管理器示例。
模板参考
创建 Log Analytics 工作区
下面的示例创建一个新的空 Log Analytics 工作区。 工作区具有唯一的工作区 ID 和资源 ID。 你可以在不同的资源组中重复使用相同的工作区名称。
说明
- 如果指定“免费”定价层,则删除 retentionInDays 元素。
模板文件
@description('Specify the name of the workspace.')
param workspaceName string
@description('Specify the location for the workspace.')
param location string
@description('Specify the pricing tier: PerGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers.')
@allowed([
'CapacityReservation'
'Free'
'LACluster'
'PerGB2018'
'PerNode'
'Premium'
'Standalone'
'Standard'
])
param sku string = 'PerGB2018'
@description('Specify the number of days to retain data.')
param retentionInDays int = 120
@description('Specify true to use resource or workspace permissions, or false to require workspace permissions.')
param resourcePermissions bool
@description('Specify the number of days to retain data in Heartbeat table.')
param heartbeatTableRetention int
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
properties: {
sku: {
name: sku
}
retentionInDays: retentionInDays
features: {
enableLogAccessUsingOnlyResourcePermissions: resourcePermissions
}
}
}
resource table 'Microsoft.OperationalInsights/workspaces/tables@2021-12-01-preview' = {
parent: workspace
name: 'Heartbeat'
properties: {
retentionInDays: heartbeatTableRetention
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"sku": {
"value": "PerGB2018"
},
"location": {
"value": "eastus"
},
"resourcePermissions": {
"value": true
},
"heartbeatTableRetention": {
"value": 30
}
}
}
收集 Windows 事件
下面的示例将 Windows 事件的收集添加到现有工作区。
说明
- 为要收集的每个事件日志添加一个 datasources 元素。 可以为每个日志指定不同的事件类型集。
模板文件
@description('Specify the name of the workspace.')
param workspaceName string
@description('Specify the location for the workspace.')
param location string
resource workspace'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
properties: {}
}
resource windowsEventsSystemDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
parent: workspace
name: 'WindowsEventsSystem'
kind: 'WindowsEvent'
properties: {
eventLogName: 'System'
eventTypes: [
{
eventType: 'Error'
}
{
eventType: 'Warning'
}
]
}
}
resource WindowsEventApplicationDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
parent: workspace
name: 'WindowsEventsApplication'
kind: 'WindowsEvent'
properties: {
eventLogName: 'Application'
eventTypes: [
{
eventType: 'Error'
}
{
eventType: 'Warning'
}
{
eventType: 'Information'
}
]
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "eastus"
}
}
}
收集 syslog
下面的示例将 syslog 事件的收集添加到现有工作区。
说明
- 为要收集的每个设备添加一个 datasources 元素。 可以为每个设备指定不同的严重性集。
模板文件
@description('Specify the name of the workspace.')
param workspaceName string
@description('Specify the location in which to create the workspace.')
param location string
resource workspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' = {
name: workspaceName
location: location
properties: {}
}
resource syslogKernDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'SyslogKern'
kind: 'LinuxSyslog'
properties: {
syslogName: 'kern'
syslogSeverities: [
{
severity: 'emerg'
}
{
severity: 'alert'
}
{
severity: 'crit'
}
{
severity: 'err'
}
{
severity: 'warning'
}
{
severity: 'notice'
}
{
severity: 'info'
}
{
severity: 'debug'
}
]
}
}
resource syslogDaemonDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'SyslogDaemon'
kind: 'LinuxSyslog'
properties: {
syslogName: 'daemon'
syslogSeverities: [
{
severity: 'emerg'
}
{
severity: 'alert'
}
{
severity: 'crit'
}
{
severity: 'err'
}
{
severity: 'warning'
}
]
}
}
resource syslogCollectionDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'SyslogCollection'
kind: 'LinuxSyslogCollection'
properties: {
state: 'Enabled'
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "eastus"
}
}
}
收集 Windows 性能计数器
下面的示例将 Windows 性能计数器的收集添加到现有工作区。
说明
- 为要收集的每个计数器和实例添加一个 datasources 元素。 可以为每个计数器和实例组合指定不同的收集速率。
模板文件
@description('Specify the name of the workspace.')
param workspaceName string
@description('Specify the location of the workspace.')
param location string = resourceGroup().location
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
properties: {}
}
resource windowsPerfMemoryAvailableBytesDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
parent: workspace
name: 'WindowsPerfMemoryAvailableBytes'
kind: 'WindowsPerformanceCounter'
properties: {
objectName: 'Memory'
instanceName: '*'
intervalSeconds: 10
counterName: 'Available MBytes '
}
}
resource windowsPerfMemoryPercentageBytesDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'WindowsPerfMemoryPercentageBytes'
kind: 'WindowsPerformanceCounter'
properties: {
objectName: 'Memory'
instanceName: '*'
intervalSeconds: 10
counterName: '% Committed Bytes in Use'
}
}
resource windowsPerfProcessorPercentageDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'WindowsPerfProcessorPercentage'
kind: 'WindowsPerformanceCounter'
properties: {
objectName: 'Processor'
instanceName: '_Total'
intervalSeconds: 10
counterName: '% Processor Time'
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "eastus"
}
}
}
收集 Linux 性能计数器
下面的示例将 Linux 性能计数器的收集添加到现有工作区。
说明
- 为要收集的每个对象和实例添加一个 datasources 元素。 可以为每个对象和实例组合指定不同的计数器集,但只能为所有计数器指定一个速率。
模板文件
@description('Specify the name of the workspace.')
param workspaceName string
@description('Specify the location in which to create the workspace.')
param location string = resourceGroup().location
resource workspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' = {
name: workspaceName
location: location
properties: {}
}
resource linuxPerformanceLogicalDiskDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'LinuxPerformanceLogicalDisk'
kind: 'LinuxPerformanceObject'
properties: {
objectName: 'Logical Disk'
instanceName: '*'
intervalSeconds: 10
performanceCounters: [
{
counterName: '% Used Inodes'
}
{
counterName: 'Free Megabytes'
}
{
counterName: '% Used Space'
}
{
counterName: 'Disk Transfers/sec'
}
{
counterName: 'Disk Reads/sec'
}
{
counterName: 'Disk Writes/sec'
}
]
}
}
resource linuxPerformanceProcessorDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'LinuxPerformanceProcessor'
kind: 'LinuxPerformanceObject'
properties: {
objectName: 'Processor'
instanceName: '*'
intervalSeconds: 10
performanceCounters: [
{
counterName: '% Processor Time'
}
{
counterName: '% Privileged Time'
}
]
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "eastus"
}
}
}
收集自定义日志
下面的示例将自定义日志的收集添加到现有工作区。
说明
- 分隔符和提取的配置可能很复杂。 若要获得帮助,可以使用 Azure 门户定义自定义日志,并使用 -Kind 设置为 CustomLog 的 Get-AzOperationalInsightsDataSource 检索其配置。
模板文件
@description('Specify the name of the workspace.')
param workspaceName string
@description('Specify the location in which to create the workspace.')
param location string
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
properties: {}
}
resource armlogTimeDelimitedDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
parent: workspace
name: '${workspaceName}armlog_timedelimited'
kind: 'CustomLog'
properties: {
customLogName: 'arm_log_timedelimited'
description: 'this is a description'
inputs: [
{
location: {
fileSystemLocations: {
linuxFileTypeLogPaths: [
'/var/logs'
]
windowsFileTypeLogPaths: [
'c:\\Windows\\Logs\\*.txt'
]
}
}
recordDelimiter: {
regexDelimiter: {
matchIndex: 0
numberdGroup: null
pattern: '(^.*((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9].*$)'
}
}
}
]
extractions: [
{
extractionName: 'TimeGenerated'
extractionProperties: {
dateTimeExtraction: {
regex: [
{
matchIndex: 0
numberdGroup: null
pattern: '((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9]'
}
]
}
}
extractionType: 'DateTime'
}
]
}
}
resource armlogNewlineDatasource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
parent: workspace
name: '${workspaceName}armlog_newline'
kind: 'CustomLog'
properties: {
customLogName: 'armlog_newline'
description: 'this is a description'
inputs: [
{
location: {
fileSystemLocations: {
linuxFileTypeLogPaths: [
'/var/logs'
]
windowsFileTypeLogPaths: [
'c:\\Windows\\Logs\\*.txt'
]
}
}
recordDelimiter: {
regexDelimiter: {
pattern: '\\n'
matchIndex: 0
numberdGroup: null
}
}
}
]
extractions: [
{
extractionName: 'TimeGenerated'
extractionType: 'DateTime'
extractionProperties: {
dateTimeExtraction: {
regex: null
joinStringRegex: null
}
}
}
]
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "eastus"
}
}
}
收集 IIS 日志
下面的示例将 IIS 日志的收集添加到现有工作区。
模板文件
@description('Specify the name of the workspace.')
param workspaceName string
@description('Specify the location in which to create the workspace.')
param location string
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
properties: {}
}
resource IISLogDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
parent: workspace
name: 'IISLog'
kind: 'IISLogs'
properties: {
state: 'OnPremiseEnabled'
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "eastus"
}
}
}