question

SugandhaKumari-1812 avatar image
0 Votes"
SugandhaKumari-1812 asked 74090519 commented

syslog data collection for log analytics workspace

Dear Team,

I am using "az monitor data-collection rule create" and "az monitor data-collection rule syslog add" cli commands to collect syslogs data for linux VMs. It gives error as below:-

WARNING: Command group 'monitor data-collection' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
ERROR: BadRequestError: (InvalidPayload) Data collection rule is invalid

Please note I have created a log analytics workspace and connected the VMs.

Requesting your help on this.

azure-monitor
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SugandhaKumari-1812 Welcome to Microsoft Q & A Community Forum. Thanks for bringing this to our notice. I am looking into it and will update to you soon.

0 Votes 0 ·

@SugandhaKumari-1812 Kindly let me know if you are still facing the issue. As requested , can you please share the query details to assist you further?

0 Votes 0 ·
SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered 74090519 commented

@SugandhaKumari-1812 I have tested the query from my end which worked successfully. The query documented in the az cli is bit incorrect which I have raised issue with content team. Kindly try below query and revert if you have further questions.

  az monitor data-collection rule create --resource-group "swd" --location "westus2" --name "myCollectionRule" --data-flows destinations="swtry" streams="Microsoft-Perf" streams="Microsoft-Syslog" streams="Microsoft-WindowsEvent" --log-analytics name="swtry" resource-id="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/swd/providers/Microsoft.OperationalInsights/workspaces/swtry" --performance-counters name="cloudTeamCoreCounters" counter-specifiers="\\Processor(_Total)\\% Processor Time" counter-specifiers="\\Memory\\Committed Bytes" counter-specifiers="\\LogicalDisk(_Total)\\Free Megabytes" counter-specifiers="\\PhysicalDisk(_Total)\\Avg. Disk Queue Length" sampling-frequency=15 transfer-period="PT1M" streams="Microsoft-Perf" --performance-counters name="appTeamExtraCounters" counter-specifiers="\\Process(_Total)\\Thread Count" sampling-frequency=30 transfer-period="PT5M" streams="Microsoft-Perf" --syslog name="cronSyslog" facility-names="cron" log-levels="Debug" log-levels="Critical" log-levels="Emergency" streams="Microsoft-Syslog" --syslog name="syslogBase" facility-names="syslog" log-levels="Alert" log-levels="Critical" log-levels="Emergency" streams="Microsoft-Syslog" --windows-event-logs name="cloudSecurityTeamEvents" transfer-period="PT1M" streams="Microsoft-WindowsEvent" x-path-queries="Security!" --windows-event-logs name="appTeam1AppEvents" transfer-period="PT5M" streams="Microsoft-WindowsEvent" x-path-queries="System!*[System[(Level = 1 or Level = 2 or Level = 3)]]" x-path-queries="Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SwathiDhanwada-MSFT ,

I tried the above mentioned command and still getting the same error. Please find the one I used in below comment.it gave same output as error:-


WARNING: Command group 'monitor data-collection' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
ERROR: BadRequestError: (InvalidPayload) Data collection rule is invalid.

0 Votes 0 ·

@SugandhaKumari-1812 Can you please make below modifications to your query and try again ?

  • Instead of x-path-queries="System[System[(Level = 1 or Level = 2 or Level = 3)]]" x-path-queries="Application[System[(Level = 1 or Level = 2 or Level = 3)]]" replace it with x-path-queries="System!*[System[(Level = 1 or Level = 2 or Level = 3)]]" x-path-queries="Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"

0 Votes 0 ·
74090519 avatar image 74090519 SwathiDhanwada-MSFT ·

@SwathiDhanwada-MSFT I tried and that didn't work either. Also to add more, windows event I am able to achieve using terraform. I am facing issue with sys log data collection.

0 Votes 0 ·
SugandhaKumari-1812 avatar image
0 Votes"
SugandhaKumari-1812 answered

I am not able to paste this as whole in comment so adding here the command I used.

az monitor data-collection rule create --resource-group "RGName" --location "location" --name "myCollectionRule" --data-flows destinations="Workspacename" streams="Microsoft-Perf" streams="Microsoft-Syslog" streams="Microsoft-WindowsEvent" --log-analytics name="Workspacename" resource-id="/subscriptions/subscriptionID/resourceGroups/RGName/prov
iders/Microsoft.OperationalInsights/workspaces/Workspacename" --performance-counters name="cloudTeamCoreCounters" counter-specifiers="\\Processor(_Total)\\% Processor Time" counter-specifiers="\\Memory\\Committed Bytes" counter-specifiers="\\LogicalDisk(_Total)\\Free Megabytes" counter-specifiers="\\PhysicalDisk(_Total)\\Avg. Disk Queue Length" sampling-frequency=15 transfer-period="PT1M" streams="Microsoft-Perf" --performance-counters name="appTeamExtraCounters" counter-specifiers="\\Process(_Total)\\Thread Count" sampling-frequency=30 transfer-period="PT5M" streams="Microsoft-Perf" --syslog name="cronSyslog" facility-names="cron" log-levels="Debug" log-levels="Critical" log-levels="Emergency" streams="Microsoft-Syslog" --syslog name="syslogBase" facility-names="syslog" log-levels="Alert" log-evels="Critical" log-levels="Emergency" streams="Microsoft-Syslog" --windows-event-logs name="cloudSecurityTeamEvents" transfer-period="PT1M" streams="Microsoft-WindowsEvent" x-path-queries="Security!" --windows-event-logs name="appTeam1AppEvents" transfer-period="PT5M" streams="Microsoft-WindowsEvent" x-path-ueries="System[System[(Level = 1 or Level = 2 or Level = 3)]]" x-path-queries="Application[System[(Level = 1 or Lev
el = 2 or Level = 3)]]"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.