Skip to content

azurermMonitorDataCollectionRule

Manages a Data Collection Rule.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_1", {
    location: azurermResourceGroupExample.location,
    name: "example-workspace",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermLogAnalyticsSolutionExample =
  new azurerm.logAnalyticsSolution.LogAnalyticsSolution(this, "example_2", {
    location: azurermResourceGroupExample.location,
    plan: [
      {
        product: "OMSGallery/WindowsEventForwarding",
        publisher: "Microsoft",
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
    solution_name: "WindowsEventForwarding",
    workspace_name: azurermLogAnalyticsWorkspaceExample.name,
    workspace_resource_id: azurermLogAnalyticsWorkspaceExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsSolutionExample.overrideLogicalId("example");
const azurermMonitorDataCollectionRuleExample =
  new azurerm.monitorDataCollectionRule.MonitorDataCollectionRule(
    this,
    "example_3",
    {
      data_flow: [
        {
          destinations: ["test-destination-metrics"],
          streams: ["Microsoft-InsightsMetrics"],
        },
        {
          destinations: ["test-destination-log"],
          streams: [
            "Microsoft-InsightsMetrics",
            "Microsoft-Syslog",
            "Microsoft-Perf",
          ],
        },
      ],
      data_sources: [
        {
          extension: [
            {
              extension_json:
                '${jsonencode({\n        a = 1\n        b = "hello"\n      })}',
              extension_name: "test-extension-name",
              input_data_sources: ["test-datasource-wineventlog"],
              name: "test-datasource-extension",
              streams: ["Microsoft-WindowsEvent"],
            },
          ],
          performance_counter: [
            {
              counter_specifiers: ["Processor(*)\\% Processor Time"],
              name: "test-datasource-perfcounter",
              sampling_frequency_in_seconds: 60,
              streams: ["Microsoft-Perf", "Microsoft-InsightsMetrics"],
            },
          ],
          syslog: [
            {
              facility_names: ["*"],
              log_levels: ["*"],
              name: "test-datasource-syslog",
            },
          ],
          windows_event_log: [
            {
              name: "test-datasource-wineventlog",
              streams: ["Microsoft-WindowsEvent"],
              x_path_queries: ["*![System/Level=1]"],
            },
          ],
        },
      ],
      depends_on: [`\${${azurermLogAnalyticsSolutionExample.fqn}}`],
      description: "data collection rule example",
      destinations: [
        {
          azure_monitor_metrics: [
            {
              name: "test-destination-metrics",
            },
          ],
          log_analytics: [
            {
              name: "test-destination-log",
              workspace_resource_id: azurermLogAnalyticsWorkspaceExample.id,
            },
          ],
        },
      ],
      location: azurermResourceGroupExample.location,
      name: "example-rule",
      resource_group_name: azurermResourceGroupExample.name,
      tags: {
        foo: "bar",
      },
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMonitorDataCollectionRuleExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • dataFlow - (Required) One or more dataFlow blocks as defined below.

  • destinations - (Required) A destinations block as defined below.

  • location - (Required) The Azure Region where the Data Collection Rule should exist. Changing this forces a new Data Collection Rule to be created.

  • name - (Required) The name which should be used for this Data Collection Rule. Changing this forces a new Data Collection Rule to be created.

  • resourceGroupName - (Required) The name of the Resource Group where the Data Collection Rule should exist. Changing this forces a new Data Collection Rule to be created.

  • dataSources - (Optional) A dataSources block as defined below. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint.

  • description - (Optional) The description of the Data Collection Rule.

  • kind - (Optional) The kind of the Data Collection Rule. Possible values are linux and windows. A rule of kind linux does not allow for windowsEventLog data sources. And a rule of kind windows does not allow for syslog data sources. If kind is not specified, all kinds of data sources are allowed.

  • tags - (Optional) A mapping of tags which should be assigned to the Data Collection Rule.

A azureMonitorMetrics block supports the following:

  • name - (Required) The name which should be used for this destination. This name should be unique across all destinations regardless of type within the Data Collection Rule.

A dataFlow block supports the following:

  • destinations - (Required) Specifies a list of destination names. A azureMonitorMetrics data source only allows for stream of kind microsoftInsightsMetrics.

  • streams - (Required) Specifies a list of streams. Possible values include but not limited to microsoftEvent, microsoftInsightsMetrics, microsoftPerf, microsoftSyslog,and microsoftWindowsEvent.

A dataSources block supports the following:

  • extension - (Optional) One or more extension blocks as defined below.

  • performanceCounter - (Optional) One or more performanceCounter blocks as defined below.

  • syslog - (Optional) One or more syslog blocks as defined below.

  • windowsEventLog - (Optional) One or more windowsEventLog blocks as defined below.

A destinations block supports the following:

  • azureMonitorMetrics - (Optional) A azureMonitorMetrics block as defined above.

  • logAnalytics - (Optional) One or more logAnalytics blocks as defined below.

-> NOTE At least one of azureMonitorMetrics and logAnalytics blocks must be specified.

A extension block supports the following:

  • extensionName - (Required) The name of the VM extension.

  • name - (Required) The name which should be used for this data source. This name should be unique across all data sources regardless of type within the Data Collection Rule.

  • streams - (Required) Specifies a list of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. Possible values include but not limited to microsoftEvent, microsoftInsightsMetrics, microsoftPerf, microsoftSyslog, microsoftWindowsEvent.

  • extensionJson - (Optional) A JSON String which specifies the extension setting.

  • inputDataSources - (Optional) Specifies a list of data sources this extension needs data from. An item should be a name of a supported data source which produces only one stream. Supported data sources type: performanceCounter, windowsEventLog,and syslog.

A logAnalytics block supports the following:

  • name - (Required) The name which should be used for this destination. This name should be unique across all destinations regardless of type within the Data Collection Rule.

  • workspaceResourceId - (Required) The ID of a Log Analytic Workspace resource.

A performanceCounter block supports the following:

  • counterSpecifiers - (Required) Specifies a list of specifier names of the performance counters you want to collect. To get a list of performance counters on Windows, run the command typeperf. Please see this document for more information.

  • name - (Required) The name which should be used for this data source. This name should be unique across all data sources regardless of type within the Data Collection Rule.

  • samplingFrequencyInSeconds - (Required) The number of seconds between consecutive counter measurements (samples). The value should be integer between 1 and 300 inclusive. samplingFrequencyInSeconds must be equal to 60 seconds for counters collected with microsoftInsightsMetrics stream.

  • streams - (Required) Specifies a list of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. Possible values include but not limited to microsoftInsightsMetrics,and microsoftPerf.

A syslog block supports the following:

  • facilityNames - (Required) Specifies a list of facility names. Use a wildcard * to collect logs for all facility names. Possible values are auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0, local1, local2, local3, local4, local5, local6, local7,and *.

  • logLevels - (Required) Specifies a list of log levels. Use a wildcard * to collect logs for all log levels. Possible values are debug, info, notice, warning, error, critical, alert, emergency,and *.

  • name - (Required) The name which should be used for this data source. This name should be unique across all data sources regardless of type within the Data Collection Rule.

  • streams - (Optional) Specifies a list of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. Possible values include but not limited to microsoftSyslog,and microsoftCiscoAsa, and microsoftCommonSecurityLog.

-> Note: In 4.0 or later version of the provider, streams will be required. In 3.x version of provider, if streams is not specified in creation, it is default to ["microsoftSyslog"]. if streams need to be modified (include change other value to the default value), it must be explicitly specified.

A windowsEventLog block supports the following:

  • name - (Required) The name which should be used for this data source. This name should be unique across all data sources regardless of type within the Data Collection Rule.

  • streams - (Required) Specifies a list of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. Possible values include but not limited to microsoftEvent,and microsoftWindowsEvent, microsoftRomeDetectionEvent, and microsoftSecurityEvent.

  • xPathQueries - (Required) Specifies a list of Windows Event Log queries in XPath expression. Please see this document for more information.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Data Collection Rule.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Data Collection Rule.
  • read - (Defaults to 5 minutes) Used when retrieving the Data Collection Rule.
  • update - (Defaults to 30 minutes) Used when updating the Data Collection Rule.
  • delete - (Defaults to 30 minutes) Used when deleting the Data Collection Rule.

Import

Data Collection Rules can be imported using the resourceId, e.g.

terraform import azurerm_monitor_data_collection_rule.example /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/group1/providers/Microsoft.Insights/dataCollectionRules/rule1