├── Orchestration └── discoveryDeployment.psd1 ├── readme.md └── templates └── loganalytics ├── LogAnalytics └── deployLogAnalytics.bicep ├── QueriesFunctions ├── deploySavedFunction.bicep └── deploySavedLogQuery.bicep ├── WorkspaceDataCollection ├── deployEventLog.bicep ├── deployIIS.bicep ├── deployMetrics.bicep ├── deploySyslog.bicep └── deployWVDEventsCounters.bicep └── universalDCR.json /Orchestration/discoveryDeployment.psd1: -------------------------------------------------------------------------------- 1 | Import-Module ImportExcel 2 | Import-Module Az.OperationalInsights 3 | Import-Module Az.AlertsManagement 4 | 5 | $infraCreation = Import-Excel -path C:\temp\spreadsheet.xlsx -WorksheetName "Infrastructure Creation" -HeaderName 'WorkspaceName', 'DataRetention', 'Location','Tags','AppInsights','AzureSentinel','AzureSecurityCenter','AzureSecurityCenterFree','ChangeTracking','UpdateManagement','ContainerInsights','VMInsights' -StartRow 5 6 | 7 | 8 | #$infraParameters = @{ 9 | $workspaceName = $infraCreation.WorkspaceName 10 | $location = $infraCreation.Location 11 | $retentionInDays = $infraCreation.DataRetention 12 | $azureSentinelBool = $infraCreation.AzureSentinel 13 | $azureSecurityCenterFreeBool = $infraCreation.AzureSecurityCenterFree 14 | $azureSecurityCenterBool = $infraCreation.AzureSecurityCenter 15 | $changeTrackingBool = $infraCreation.ChangeTracking 16 | $containerInsightsBool = $infraCreation.ContainerInsights 17 | $appInsightsBool = $infraCreation.AppInsights 18 | $vmInsightsBool = $infraCreation.VMInsights 19 | $resourceTags = $infraCreation.tags 20 | #} 21 | 22 | az deployment group create --name iactest --resource-group azmoneastus2 --template-file .\templates\loganalytics\loganalytics\deployLogAnalytics.bicep --parameters ` 23 | vmInsightsBool=$vmInsightsBool ` 24 | changeTrackingBool=$changeTrackingBool ` 25 | location=$location retentionInDays=$retentionInDays ` 26 | azureSentinelBool=$azureSentinelBool ` 27 | azureSecurityCenterFreeBool=$azureSecurityCenterFree ` 28 | azureSecurityCenterBool=$azureSecurityCenter ` 29 | changeTrackingBool=$ChangeTracking ` 30 | containerInsightsBool=$containerInsights ` 31 | appInsightsBool=$appInsights 32 | 33 | az deployment group create --name SavedQuery --resource-group azmoneastus2 --template-file .\templates\LogAnalytics\QueriesFunctions\deploySavedLogQuery.bicep --parameters ` 34 | workspaceName=la-sparktest-eastus2-orchestrator 35 | 36 | 37 | az deployment group create --name hypervAdmin --resource-group azmoneastus2 --template-file .\templates\loganalytics\WorkspaceDataCollection\deployEventLog.bicep --parameters ` 38 | workspaceName=la-sparktest-eastus2-orchestrator ` 39 | eventLogName='microsoft-windows-hyper-v-compute/admin' ` 40 | eventLevel="['Error','Warning']" 41 | 42 | az deployment group create --name LogicalDiskAvgWrite --resource-group azmoneastus2 --template-file .\templates\loganalytics\workspacedatacollection\deployMetrics.bicep --parameters ` 43 | workspaceName=la-sparktest-eastus2-orchestrator ` 44 | metricObjectName='LogicalDisk' ` 45 | metricCounterName='Avg. Disk Bytes/Write' ` 46 | metricInstanceName='*' 47 | 48 | az deployment group create --name syslogDeamon --resource-group azmoneastus2 --template-file .\templates\loganalytics\WorkspaceDataCollection\deploySyslog.bicep --parameters ` 49 | workspaceName=la-sparktest-eastus2-orchestrator ` 50 | syslogName='daemon' ` 51 | severityLevel="['emerg','alert']" 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | $actionGroups = Import-Excel -Path $path -WorksheetName "Step1-Action Groups" -HeaderName 'Team', 'Escalation Tier', 'Preferred Contact Method', 'Contact Info', 'Azure Action Group Name', 'Action Group Short Name' -StartRow 5 61 | 62 | $Alerts = Import-Excel -Path $path -WorksheetName "Step2 - Alerting Requirements" -HeaderName 'Alert Type', 'Metric', 'Operator', 'Threshold' , 'Aggregation', 'IaaS Collection Interval', 'Window', 'Evaluation', 'Azure Action Group Name' -StartRow 5 63 | 64 | $actionGroups = $actionGroups | where {$_.Team -ne $null} -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Bicep repo for Azure Monitor, Log Analytics and Sentinel Resources 2 | 3 | ## Related blog post 4 | https://www.cloudsma.com/2021/04/iac-bicep-azure-monitor-security/ 5 | 6 | ## Deployment Examples for Log Analytics 7 | Azure CLI Example for security and change tracking all on one workspace: 8 | 9 | ```azurecli 10 | az deployment group create --name iactest --resource-group azmon --template-file .\deployLogAnalytics.bicep --parameters 'linkedAutomation=true' 'azureSentinelBool=true' 'azureSecurityCenterBool=true' 'changeTrackingBool=true' 11 | ``` 12 | 13 | Azure CLI Example for Operational monitoring: 14 | ```azurecli 15 | az deployment group create --name iactest --resource-group azmoneastus2 --template-file .\deployLogAnalytics.bicep --parameters 'linkedAutomation=true' 'vmInsightsBool=true' 'updateManagementBool=true' 'changeTrackingBool=true' 'containerInsightsBool=true' 'appInsightsBool=true' 16 | ``` 17 | 18 | ## Deployment Examples for Saved Queries and Functions 19 | 20 | Azure CLI Example for deploying saved query 21 | ```azurecli 22 | az deployment group create --name SavedQuery --resource-group azmoneastus2 --template-file .\deploySavedLogQuery.bicep 23 | ``` 24 | Azure CLI Example for deploying saved function 25 | ```azurecli 26 | az deployment group create --name SavedFunction --resource-group azmoneastus2 --template-file .\deploySavedFunction.bicep 27 | ``` 28 | 29 | ## Deployment Examples for Perf Counters 30 | 31 | Deploy windows counter Avg. Disk Bytes/Write 32 | ```azurecli 33 | az deployment group create --name LogicalDiskAvgWrite --resource-group azmoneastus2 --template-file .\templates\loganalytics\workspacedatacollection\deployMetrics.bicep --parameters metricObjectName='LogicalDisk' metricCounterName='Avg. Disk Bytes/Write' metricInstanceName='*' 34 | ``` 35 | 36 | Deploy Windows % Free Space for C: 37 | ```azurecli 38 | az deployment group create --name PercentFreeSpaceC --resource-group azmoneastus2 --template-file .\deployMetrics.bicep --parameters metricObjectName='LogicalDisk' metricCounterName='% Free Space' metricInstanceName='C:' 39 | ``` 40 | 41 | Deploy % Processor Time at 60 seconds 42 | ```azurecli 43 | az deployment group create --name PercentProcessorTime --resource-group azmoneastus2 --template-file .\deployMetrics.bicep --parameters metricObjectName='Processor' metricCounterName='% Processor Time' metricIntervalSeconds='60' 44 | ``` 45 | 46 | ## Deployment Examples for Event Logs 47 | 48 | Deploy Windows Event Log HyperV Admin Error and Warning 49 | ```azurecli 50 | az deployment group create --name hypervAdmin --resource-group azmon --template-file .\deployEventLog.bicep --parameters eventLogName='microsoft-windows-hyper-v-compute/admin' eventLevel="['Error','Warning']" 51 | ``` 52 | 53 | Deploy Windows Event Log Application Error and Warning 54 | ```azurecli 55 | az deployment group create --name applogtest --resource-group azmon --template-file .\templates\loganalytics\workspacedatacollection\deployEventLog.bicep --parameters eventLogName='Application' eventLevel="['Error','Warning']" 56 | ``` 57 | 58 | Deploy Windows Event Log FSLogix Admin Error, Warning and Information 59 | ```azurecli 60 | az deployment group create --name fslogixtest --resource-group azmon --template-file .\templates\loganalytics\workspacedatacollection\deployEventLog.bicep --parameters eventLogName='FSLogix-Apps/Operational' eventLevel="['Error','Warning','Information']" 61 | ``` 62 | 63 | ## Deployment Example for WVD Event Log and Counters template 64 | 65 | ```azurecli 66 | az deployment group create --name WVDSetup --resource-group azmoneastus2 --template-file .\deployWVDEventsCounters.bicep 67 | ``` 68 | 69 | ## Deployment Examples for Syslog 70 | 71 | Deploy Syslog Collection for daemon Emerg and Alert 72 | ```azurecli 73 | az deployment group create --name syslogDeamon --resource-group azmoneastus2 --template-file .\deploySyslog.bicep --parameters syslogName='daemon' severityLevel="['emerg','alert']" 74 | ``` 75 | 76 | Deploy Syslog Collection for cron emery, alert, crit, and err 77 | ```azurecli 78 | az deployment group create --name syslogCron --resource-group azmoneastus2 --template-file .\templates\loganalytics\workspacedatacollection\deploySyslog.bicep --parameters syslogName='cron' severityLevel="['emerg','alert','crit','err']" 79 | ``` -------------------------------------------------------------------------------- /templates/loganalytics/LogAnalytics/deployLogAnalytics.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string = toLower(concat('la', '-', resourceTags.Environment, '-', resourceGroup().location, '-', resourceTags.Project)) 2 | param appInsights string = toLower(concat('ai', '-', resourceTags.Environment, '-', resourceGroup().location, '-', resourceTags.Project)) 3 | param sku string = 'PerGB2018' 4 | param location string = resourceGroup().location 5 | param retentionInDays int = 31 6 | param resourcePermissions bool = false 7 | param linkedAutomation bool = false 8 | param azureSentinelBool bool = false 9 | param azureSecurityCenterFreeBool bool = false 10 | param azureSecurityCenterBool bool = false 11 | param vmInsightsBool bool = false 12 | param updateManagementBool bool = false 13 | param changeTrackingBool bool = false 14 | param containerInsightsBool bool = false 15 | param appInsightsBool bool = false 16 | param resourceTags object = { 17 | Environment: 'sparktest' 18 | Project: 'Orchestrator' 19 | } 20 | 21 | var AAlocation = { 22 | eastus2: ((location == 'eastus') ? 'eastus2' : location) 23 | eastus: ((location == 'eastus2') ? 'eastus' : location) 24 | } 25 | var automationLocation = ((location == 'eastus') ? AAlocation.eastus2 : AAlocation.eastus) 26 | var automationAccountName = toLower(concat('aa', '-', resourceTags.Environment, '-', automationLocation, '-', resourceTags.Project)) 27 | 28 | var azureSentinel = { 29 | name: 'SecurityInsights(${workspaceName})' 30 | galleryName: 'SecurityInsights' 31 | } 32 | var vmInsights = { 33 | name: 'VMInsights(${workspaceName})' 34 | galleryName: 'VMInsights' 35 | } 36 | var containerInsights = { 37 | name: 'ContainerInsights(${workspaceName})' 38 | galleryName: 'ContainerInsights' 39 | } 40 | var securityCenterFree = { 41 | name: 'SecurityCenterFree(${workspaceName})' 42 | galleryName: 'SecurityCenterFree' 43 | } 44 | var securityCenter = { 45 | name: 'Security(${workspaceName})' 46 | galleryName: 'Security' 47 | } 48 | var changeTracking = { 49 | name: 'ChangeTracking(${workspaceName})' 50 | galleryName: 'ChangeTracking' 51 | } 52 | var updates = { 53 | name: 'Updates(${workspaceName})' 54 | galleryName: 'Updates' 55 | } 56 | 57 | resource workspaceName_resource 'Microsoft.OperationalInsights/workspaces@2020-08-01' = { 58 | name: workspaceName 59 | location: location 60 | tags: resourceTags 61 | properties: { 62 | sku: { 63 | name: sku 64 | } 65 | retentionInDays: retentionInDays 66 | features: { 67 | searchVersion: 1 68 | legacy: 0 69 | enableLogAccessUsingOnlyResourcePermissions: resourcePermissions 70 | } 71 | } 72 | } 73 | 74 | resource automationAccountName_resource 'Microsoft.Automation/automationAccounts@2020-01-13-preview' = if (linkedAutomation) { 75 | name: automationAccountName 76 | location: automationLocation 77 | tags: resourceTags 78 | properties: { 79 | sku: { 80 | name: 'Basic' 81 | } 82 | } 83 | dependsOn: [ 84 | workspaceName_resource 85 | ] 86 | } 87 | 88 | resource workspaceName_Automation 'Microsoft.OperationalInsights/workspaces/linkedServices@2020-03-01-preview' = if (linkedAutomation) { 89 | name: '${workspaceName_resource.name}/Automation' 90 | dependsOn:[ 91 | workspaceName_resource 92 | automationAccountName_resource 93 | ] 94 | properties: { 95 | resourceId: automationAccountName_resource.id 96 | } 97 | } 98 | 99 | resource applicationInsights 'Microsoft.Insights/components@2020-02-02-preview' = if(appInsightsBool) { 100 | name: appInsights 101 | location: location 102 | tags: resourceTags 103 | kind: 'web' 104 | properties: { 105 | Application_Type: 'web' 106 | WorkspaceResourceId: workspaceName_resource.id 107 | } 108 | } 109 | 110 | resource solutionsVMInsights 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if(vmInsightsBool) { 111 | name: vmInsights.name 112 | location: location 113 | dependsOn: [ 114 | workspaceName_resource 115 | ] 116 | properties: { 117 | workspaceResourceId: workspaceName_resource.id 118 | } 119 | plan: { 120 | name: vmInsights.name 121 | publisher: 'Microsoft' 122 | product: 'OMSGallery/${vmInsights.galleryName}' 123 | promotionCode: '' 124 | } 125 | } 126 | 127 | resource solutionsContainerInsights 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if(containerInsightsBool) { 128 | name: containerInsights.name 129 | location: location 130 | dependsOn: [ 131 | workspaceName_resource 132 | ] 133 | properties: { 134 | workspaceResourceId: workspaceName_resource.id 135 | } 136 | plan: { 137 | name: containerInsights.name 138 | publisher: 'Microsoft' 139 | product: 'OMSGallery/${containerInsights.galleryName}' 140 | promotionCode: '' 141 | } 142 | } 143 | 144 | resource solutionsAzureSentinel 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if(azureSentinelBool) { 145 | name: azureSentinel.name 146 | location: location 147 | dependsOn: [ 148 | workspaceName_resource 149 | ] 150 | properties: { 151 | workspaceResourceId: workspaceName_resource.id 152 | } 153 | plan: { 154 | name: azureSentinel.name 155 | publisher: 'Microsoft' 156 | product: 'OMSGallery/${azureSentinel.galleryName}' 157 | promotionCode: '' 158 | } 159 | } 160 | 161 | resource solutionsSecurityCenterFree 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if(azureSecurityCenterFreeBool) { 162 | name: securityCenterFree.name 163 | location: location 164 | dependsOn: [ 165 | workspaceName_resource 166 | ] 167 | properties: { 168 | workspaceResourceId: workspaceName_resource.id 169 | } 170 | plan: { 171 | name: securityCenterFree.name 172 | publisher: 'Microsoft' 173 | product: 'OMSGallery/${securityCenterFree.galleryName}' 174 | promotionCode: '' 175 | } 176 | } 177 | 178 | resource solutionsSecurityCenter 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if(azureSecurityCenterBool) { 179 | name: securityCenter.name 180 | location: location 181 | dependsOn: [ 182 | workspaceName_resource 183 | ] 184 | properties: { 185 | workspaceResourceId: workspaceName_resource.id 186 | } 187 | plan: { 188 | name: securityCenter.name 189 | publisher: 'Microsoft' 190 | product: 'OMSGallery/${securityCenter.galleryName}' 191 | promotionCode: '' 192 | } 193 | } 194 | 195 | resource solutionsChangeTracking 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if(changeTrackingBool) { 196 | name: changeTracking.name 197 | location: location 198 | dependsOn: [ 199 | workspaceName_resource 200 | ] 201 | properties: { 202 | workspaceResourceId: workspaceName_resource.id 203 | } 204 | plan: { 205 | name: changeTracking.name 206 | publisher: 'Microsoft' 207 | product: 'OMSGallery/${changeTracking.galleryName}' 208 | promotionCode: '' 209 | } 210 | } 211 | 212 | resource solutionsUpdates 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if(updateManagementBool) { 213 | name: updates.name 214 | location: location 215 | dependsOn: [ 216 | workspaceName_resource 217 | ] 218 | properties: { 219 | workspaceResourceId: workspaceName_resource.id 220 | } 221 | plan: { 222 | name: updates.name 223 | publisher: 'Microsoft' 224 | product: 'OMSGallery/${updates.galleryName}' 225 | promotionCode: '' 226 | } 227 | } 228 | -------------------------------------------------------------------------------- /templates/loganalytics/QueriesFunctions/deploySavedFunction.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string = 'la-blog-eastus2-cloudsma' 2 | param location string = resourceGroup().location 3 | 4 | resource workspaceName_resource 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { 5 | name: workspaceName 6 | } 7 | 8 | resource workspaceName_FunctionDeployment 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = { 9 | name: '${workspaceName_resource.name}/FunctionName' 10 | properties: { 11 | displayName: 'FunctionDisplayName' 12 | category: 'Test' 13 | functionAlias: 'FunctionAlias' 14 | query: 'your function query here' 15 | version: 1 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /templates/loganalytics/QueriesFunctions/deploySavedLogQuery.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string 2 | param location string = resourceGroup().location 3 | 4 | 5 | resource workspaceName_resource 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { 6 | name: workspaceName 7 | } 8 | 9 | resource workspaceName_Usage 'Microsoft.OperationalInsights/workspaces/savedSearches@2015-03-20' = { 10 | name: '${workspaceName_resource.name}/Usage' 11 | properties: { 12 | displayName: 'Usage by Table' 13 | category: 'Usage' 14 | query: 'let daystoSearch = 31d; \r\nlet tables = search * \r\n| where TimeGenerated >= ago(daystoSearch) \r\n| summarize RecordCount=count() by $table \r\n| project leftName=$table, RecordCount, Clause=1;\r\nUsage \r\n| where TimeGenerated >= ago(daystoSearch) \r\n| where IsBillable == true \r\n| where DataType !="" \r\n| summarize TotalSize=sum(Quantity) by DataType \r\n| project rightName=DataType, TotalSize, Clause=1 \r\n| join kind=leftouter (tables) on Clause \r\n| where leftName == rightName \r\n| project TableName=leftName , MBperRecord=round(TotalSize / RecordCount,6), RecordCount, TotalGB = round(TotalSize/1024, 6) \r\n| sort by MBperRecord desc' 15 | version: 1 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /templates/loganalytics/WorkspaceDataCollection/deployEventLog.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string = 'la-blog-eastus-cloudsma' 2 | param location string = resourceGroup().location 3 | param eventLogName string = 'System' 4 | param eventLevel array = [ 5 | 'Error' 6 | 'Warning' 7 | 'Information' 8 | ] 9 | 10 | var deploymentName = '${workspace.name}/${uniqueString(subscription().subscriptionId, deployment().name)}' 11 | 12 | resource workspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { 13 | name: workspaceName 14 | } 15 | 16 | resource workspaceName_deploymentName 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 17 | name: deploymentName 18 | kind: 'WindowsEvent' 19 | properties: { 20 | workspaceId: workspace.id 21 | eventLogName: eventLogName 22 | eventTypes: [for Level in eventLevel: { 23 | eventType: Level 24 | }] 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /templates/loganalytics/WorkspaceDataCollection/deployIIS.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string 2 | 3 | resource workspaceName_resource 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { 4 | name: workspaceName 5 | } 6 | 7 | resource workspaceName_IISLog 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 8 | name: '${workspaceName_resource.name}/IISLog' 9 | kind: 'IISLogs' 10 | properties: { 11 | state: 'OnPremiseEnabled' 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /templates/loganalytics/WorkspaceDataCollection/deployMetrics.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string = 'la-blog-eastus2-cloudsma' 2 | @allowed([ 3 | 'WindowsPerformanceCounter' 4 | 'LinuxPerformanceObject' 5 | ]) 6 | param metricKind string = 'WindowsPerformanceCounter' 7 | param metricObjectName string 8 | param metricInstanceName string = '_Total' 9 | param metricIntervalSeconds string = '120' 10 | param metricCounterName string = '% Processor Time' 11 | 12 | var metricDeploymentName = '${workspaceName_resource.name}/${uniqueString(subscription().subscriptionId, deployment().name)}' 13 | 14 | resource workspaceName_resource 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { 15 | name: workspaceName 16 | } 17 | 18 | 19 | resource workspaceName_metricDeploymentName 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 20 | name: metricDeploymentName 21 | kind: metricKind 22 | properties: { 23 | objectName: metricObjectName 24 | instanceName: metricInstanceName 25 | intervalSeconds: metricIntervalSeconds 26 | counterName: metricCounterName 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /templates/loganalytics/WorkspaceDataCollection/deploySyslog.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string = 'la-blog-eastus2-cloudsma' 2 | param syslogName string = 'kern' 3 | param severityLevel array = [ 4 | 'emerg' 5 | 'alert' 6 | 'crit' 7 | 'err' 8 | 'warning' 9 | 'notice' 10 | 'info' 11 | 'debug' 12 | ] 13 | 14 | 15 | resource workspaceName_resource 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { 16 | name: workspaceName 17 | } 18 | 19 | resource workspaceName_Syslog 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 20 | name: '${workspaceName_resource.name}/${syslogName}' 21 | kind: 'LinuxSyslog' 22 | properties: { 23 | syslogName: syslogName 24 | syslogSeverities: [for Level in severityLevel: { 25 | severity: Level 26 | }] 27 | } 28 | } 29 | 30 | resource workspaceName_SyslogCollection 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 31 | name: '${workspaceName_resource.name}/Enable' 32 | kind: 'LinuxSyslogCollection' 33 | properties: { 34 | state: 'Enabled' 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /templates/loganalytics/WorkspaceDataCollection/deployWVDEventsCounters.bicep: -------------------------------------------------------------------------------- 1 | param workspaceName string 2 | 3 | resource workspaceName_resource 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { 4 | name: workspaceName 5 | } 6 | 7 | resource workspaceName_perfcounter1 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 8 | name: '${workspaceName_resource.name}/perfcounter1' 9 | kind: 'WindowsPerformanceCounter' 10 | properties: { 11 | objectName: 'LogicalDisk' 12 | instanceName: 'C:' 13 | intervalSeconds: 60 14 | counterName: '% Free Space' 15 | } 16 | } 17 | 18 | resource workspaceName_perfcounter2 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 19 | name: '${workspaceName_resource.name}/perfcounter2' 20 | kind: 'WindowsPerformanceCounter' 21 | properties: { 22 | objectName: 'LogicalDisk' 23 | instanceName: 'C:' 24 | intervalSeconds: 30 25 | counterName: 'Avg. Disk Queue Length' 26 | } 27 | } 28 | 29 | resource workspaceName_perfcounter3 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 30 | name: '${workspaceName_resource.name}/perfcounter3' 31 | kind: 'WindowsPerformanceCounter' 32 | properties: { 33 | objectName: 'LogicalDisk' 34 | instanceName: 'C:' 35 | intervalSeconds: 60 36 | counterName: 'Avg. Disk sec/Transfer' 37 | } 38 | } 39 | 40 | resource workspaceName_perfcounter4 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 41 | name: '${workspaceName_resource.name}/perfcounter4' 42 | kind: 'WindowsPerformanceCounter' 43 | properties: { 44 | objectName: 'LogicalDisk' 45 | instanceName: 'C:' 46 | intervalSeconds: 30 47 | counterName: 'Current Disk Queue Length' 48 | } 49 | } 50 | 51 | resource workspaceName_perfcounter5 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 52 | name: '${workspaceName_resource.name}/perfcounter5' 53 | kind: 'WindowsPerformanceCounter' 54 | properties: { 55 | objectName: 'Memory' 56 | instanceName: '*' 57 | intervalSeconds: 30 58 | counterName: 'Available Mbytes' 59 | } 60 | } 61 | 62 | resource workspaceName_perfcounter6 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 63 | name: '${workspaceName_resource.name}/perfcounter6' 64 | kind: 'WindowsPerformanceCounter' 65 | properties: { 66 | objectName: 'Memory' 67 | instanceName: '*' 68 | intervalSeconds: 30 69 | counterName: 'Page Faults/sec' 70 | } 71 | } 72 | 73 | resource workspaceName_perfcounter7 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 74 | name: '${workspaceName_resource.name}/perfcounter7' 75 | kind: 'WindowsPerformanceCounter' 76 | properties: { 77 | objectName: 'Memory' 78 | instanceName: '*' 79 | intervalSeconds: 30 80 | counterName: 'Pages/sec' 81 | } 82 | } 83 | 84 | resource workspaceName_perfcounter8 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 85 | name: '${workspaceName_resource.name}/perfcounter8' 86 | kind: 'WindowsPerformanceCounter' 87 | properties: { 88 | objectName: 'Memory' 89 | instanceName: '*' 90 | intervalSeconds: 30 91 | counterName: '% Committed Bytes In Use' 92 | } 93 | } 94 | 95 | resource workspaceName_perfcounter9 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 96 | name: '${workspaceName_resource.name}/perfcounter9' 97 | kind: 'WindowsPerformanceCounter' 98 | properties: { 99 | objectName: 'PhysicalDisk' 100 | instanceName: '*' 101 | intervalSeconds: 30 102 | counterName: 'Avg. Disk Queue Length' 103 | } 104 | } 105 | 106 | resource workspaceName_perfcounter10 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 107 | name: '${workspaceName_resource.name}/perfcounter10' 108 | kind: 'WindowsPerformanceCounter' 109 | properties: { 110 | objectName: 'PhysicalDisk' 111 | instanceName: '*' 112 | intervalSeconds: 30 113 | counterName: 'Avg. Disk sec/Read' 114 | } 115 | } 116 | 117 | resource workspaceName_perfcounter11 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 118 | name: '${workspaceName_resource.name}/perfcounter11' 119 | kind: 'WindowsPerformanceCounter' 120 | properties: { 121 | objectName: 'PhysicalDisk' 122 | instanceName: '*' 123 | intervalSeconds: 30 124 | counterName: 'Avg. Disk sec/Transfer' 125 | } 126 | } 127 | 128 | resource workspaceName_perfcounter12 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 129 | name: '${workspaceName_resource.name}/perfcounter12' 130 | kind: 'WindowsPerformanceCounter' 131 | properties: { 132 | objectName: 'PhysicalDisk' 133 | instanceName: '*' 134 | intervalSeconds: 30 135 | counterName: 'Avg. Disk sec/Write' 136 | } 137 | } 138 | 139 | resource workspaceName_perfcounter18 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 140 | name: '${workspaceName_resource.name}/perfcounter18' 141 | kind: 'WindowsPerformanceCounter' 142 | properties: { 143 | objectName: 'Processor Information' 144 | instanceName: '_Total' 145 | intervalSeconds: 30 146 | counterName: '% Processor Time' 147 | } 148 | } 149 | 150 | resource workspaceName_perfcounter19 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 151 | name: '${workspaceName_resource.name}/perfcounter19' 152 | kind: 'WindowsPerformanceCounter' 153 | properties: { 154 | objectName: 'Terminal Services' 155 | instanceName: '*' 156 | intervalSeconds: 60 157 | counterName: 'Active Sessions' 158 | } 159 | } 160 | 161 | resource workspaceName_perfcounter20 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 162 | name: '${workspaceName_resource.name}/perfcounter20' 163 | kind: 'WindowsPerformanceCounter' 164 | properties: { 165 | objectName: 'Terminal Services' 166 | instanceName: '*' 167 | intervalSeconds: 60 168 | counterName: 'Inactive Sessions' 169 | } 170 | } 171 | 172 | resource workspaceName_perfcounter21 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 173 | name: '${workspaceName_resource.name}/perfcounter21' 174 | kind: 'WindowsPerformanceCounter' 175 | properties: { 176 | objectName: 'Terminal Services' 177 | instanceName: '*' 178 | intervalSeconds: 60 179 | counterName: 'Total Sessions' 180 | } 181 | } 182 | 183 | resource workspaceName_perfcounter22 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 184 | name: '${workspaceName_resource.name}/perfcounter22' 185 | kind: 'WindowsPerformanceCounter' 186 | properties: { 187 | objectName: 'User Input Delay per Process' 188 | instanceName: '*' 189 | intervalSeconds: 30 190 | counterName: 'Max Input Delay' 191 | } 192 | } 193 | 194 | resource workspaceName_perfcounter23 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 195 | name: '${workspaceName_resource.name}/perfcounter23' 196 | kind: 'WindowsPerformanceCounter' 197 | properties: { 198 | objectName: 'User Input Delay per Session' 199 | instanceName: '*' 200 | intervalSeconds: 30 201 | counterName: 'Max Input Delay' 202 | } 203 | } 204 | 205 | resource workspaceName_perfcounter24 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 206 | name: '${workspaceName_resource.name}/perfcounter24' 207 | kind: 'WindowsPerformanceCounter' 208 | properties: { 209 | objectName: 'RemoteFX Network' 210 | instanceName: '*' 211 | intervalSeconds: 30 212 | counterName: 'Current TCP RTT' 213 | } 214 | } 215 | 216 | resource workspaceName_perfcounter25 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 217 | name: '${workspaceName_resource.name}/perfcounter25' 218 | kind: 'WindowsPerformanceCounter' 219 | properties: { 220 | objectName: 'RemoteFX Network' 221 | instanceName: '*' 222 | intervalSeconds: 30 223 | counterName: 'Current UDP Bandwidth' 224 | } 225 | } 226 | 227 | resource workspaceName_WindowsEventsSystem 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 228 | name: '${workspaceName_resource.name}/WindowsEventsSystem' 229 | kind: 'WindowsEvent' 230 | properties: { 231 | eventLogName: 'System' 232 | eventTypes: [ 233 | { 234 | eventType: 'Error' 235 | } 236 | { 237 | eventType: 'Warning' 238 | } 239 | ] 240 | } 241 | } 242 | 243 | resource workspaceName_WindowsEventsApplication 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 244 | name: '${workspaceName_resource.name}/WindowsEventsApplication' 245 | kind: 'WindowsEvent' 246 | properties: { 247 | eventLogName: 'Application' 248 | eventTypes: [ 249 | { 250 | eventType: 'Error' 251 | } 252 | { 253 | eventType: 'Warning' 254 | } 255 | ] 256 | } 257 | } 258 | 259 | resource workspaceName_WindowsEventsFSLogix 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = { 260 | name: '${workspaceName_resource.name}/WindowsEventsFSLogix' 261 | kind: 'WindowsEvent' 262 | properties: { 263 | eventLogName: 'Microsoft-FSLogix-Apps/Operational' 264 | eventTypes: [ 265 | { 266 | eventType: 'Error' 267 | } 268 | { 269 | eventType: 'Warning' 270 | } 271 | { 272 | eventType: 'Information' 273 | } 274 | ] 275 | } 276 | } 277 | 278 | resource workspaceName_WindowsEventTerminalServicesOperational 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 279 | name: '${workspaceName_resource.name}/WindowsEventTerminalServicesOperational' 280 | kind: 'WindowsEvent' 281 | properties: { 282 | eventLogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' 283 | eventTypes: [ 284 | { 285 | eventType: 'Error' 286 | } 287 | { 288 | eventType: 'Warning' 289 | } 290 | { 291 | eventType: 'Information' 292 | } 293 | ] 294 | } 295 | } 296 | 297 | resource workspaceName_WindowsEventTerminalServicesAdmin 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 298 | name: '${workspaceName_resource.name}/WindowsEventTerminalServicesAdmin' 299 | kind: 'WindowsEvent' 300 | properties: { 301 | eventLogName: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin' 302 | eventTypes: [ 303 | { 304 | eventType: 'Error' 305 | } 306 | { 307 | eventType: 'Warning' 308 | } 309 | { 310 | eventType: 'Information' 311 | } 312 | ] 313 | } 314 | } 315 | 316 | resource workspaceName_WindowsEventFSLogixAdmin 'Microsoft.OperationalInsights/workspaces/datasources@2015-11-01-preview' = { 317 | name: '${workspaceName_resource.name}/WindowsEventFSLogixAdmin' 318 | kind: 'WindowsEvent' 319 | properties: { 320 | eventLogName: 'Microsoft-FSLogix-Apps/Admin' 321 | eventTypes: [ 322 | { 323 | eventType: 'Error' 324 | } 325 | { 326 | eventType: 'Warning' 327 | } 328 | { 329 | eventType: 'Information' 330 | } 331 | ] 332 | } 333 | } 334 | 335 | output workspaceName_output string = workspaceName 336 | output provisioningState string = reference(workspaceName_resource.id, '2015-11-01-preview').provisioningState 337 | output source string = reference(workspaceName_resource.id, '2015-11-01-preview').source 338 | output customerId string = reference(workspaceName_resource.id, '2015-11-01-preview').customerId 339 | output sku string = reference(workspaceName_resource.id, '2015-11-01-preview').sku.name 340 | -------------------------------------------------------------------------------- /templates/loganalytics/universalDCR.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "dataCollectionRule_name": { 6 | "type": "String" 7 | }, 8 | "workspaceResourceId": { 9 | "type": "String" 10 | }, 11 | "workspaceName": { 12 | "type": "String" 13 | }, 14 | "location": { 15 | "defaultValue": "[resourceGroup().location]", 16 | "type": "String" 17 | }, 18 | "kind": { 19 | "type": "String" 20 | }, 21 | "streams": { 22 | "type": "Array" 23 | }, 24 | "perfCounters": { 25 | "type": "Array", 26 | "defaultValue": [] 27 | }, 28 | "perfSample": { 29 | "type": "Int", 30 | "defaultValue": 0 31 | }, 32 | "eventLogs": { 33 | "type": "Array", 34 | "defaultValue": [] 35 | }, 36 | "syslogFacilities":{ 37 | "type": "Array", 38 | "defaultValue": [] 39 | }, 40 | "syslogLevels": { 41 | "type": "Array", 42 | "defaultValue": [] 43 | } 44 | }, 45 | "variables": { 46 | "eventLogVar": [ 47 | { 48 | "streams":[ 49 | "Microsoft-Event" 50 | ], 51 | "xPathQueries": "[parameters('eventLogs')]", 52 | "name": "[concat('event',parameters('dataCollectionRule_name'), uniqueString(resourceGroup().id) )]" 53 | } 54 | ], 55 | "perfVar" :[ 56 | { 57 | "streams": [ 58 | "Microsoft-Perf" 59 | ], 60 | "samplingFrequencyInSeconds": "[parameters('perfSample')]", 61 | "counterSpecifiers": "[parameters('perfCounters')]", 62 | "name": "[concat('perf',parameters('dataCollectionRule_name'), uniqueString(resourceGroup().id) )]" 63 | } 64 | ], 65 | "syslogVar": [ 66 | { 67 | "streams": [ 68 | "Microsoft-Syslog" 69 | ], 70 | "facilityNames": "[parameters('syslogFacilities')]", 71 | "logLevels": "[parameters('syslogLevels')]", 72 | "name": "[concat('syslog',parameters('dataCollectionRule_name'), uniqueString(resourceGroup().id) )]" 73 | } 74 | ] 75 | }, 76 | "resources": [ 77 | { 78 | "type": "Microsoft.Insights/dataCollectionRules", 79 | "apiVersion": "2021-09-01-preview", 80 | "name": "[parameters('dataCollectionRule_name')]", 81 | "location": "[parameters('location')]", 82 | "kind": "[parameters('kind')]", 83 | "properties": { 84 | "dataSources": { 85 | "performanceCounters": "[if(empty(parameters('perfCounters')), null(), variables('perfVar'))]", 86 | "windowsEventLogs":"[if(empty(parameters('eventLogs')), null(), variables('eventLogVar'))]", 87 | "syslog":"[if(empty(parameters('syslogFacilities')), null(), variables('syslogVar'))]" 88 | }, 89 | "destinations": { 90 | "logAnalytics": [ 91 | { 92 | "workspaceResourceId": "[parameters('workspaceResourceId')]", 93 | "name": "[parameters('workspaceName')]" 94 | } 95 | ] 96 | }, 97 | "dataFlows": [ 98 | { 99 | "streams": "[parameters('streams')]", 100 | "destinations": [ 101 | "[parameters('workspaceName')]" 102 | ] 103 | } 104 | ] 105 | } 106 | } 107 | ] 108 | } 109 | --------------------------------------------------------------------------------