Custom Logs - Hostname field - Azure Monitoring Agent [RESOLVED]

Satheesh 21 Reputation points
2022-08-02T09:32:48.04+00:00

Below issue is fixed in the latest version of Custom Log integration.


Hello,

I have followed this document to implement the Custom Log integration with log analytics from multiple VMs.
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-text-log
Its working fine. But i'm not able to distinguish the logs between Multiple VMs. Is there any way to add column called "hostname" or "vm_name" from Custom Logs integration? I know I can add hostname to application logs and it can be parsed at Log Analytics workspace to distinguish it. But I'm looking for a way to configure this at Custom Logs Integration.
And also I can see "_ResourceId" field in the custom log table but it was not populated with Hostname/VM Name.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,412 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Satheesh 21 Reputation points
    2023-02-15T04:12:37.8033333+00:00

    This issue is fixed in latest version of Custom Log integration. Now I'm able to see the Source VM in the _ResourceId column.

    User's image

    2 people found this answer helpful.
    0 comments No comments

  2. Rodrigo Pereira 1 Reputation point
    2022-08-14T00:16:28.583+00:00

    Hi,

    I'm facing the same problem. Using the OMS (Log Analytics) agent, I can collect log files in Linux VM's and there's a column named "Computer" which identifies the origin VM name for each log line. Which is what is needed.

    When using the AMA agent, there's no Computer column.
    In fact, the only columns I see are TimeGenerate, RawData, TenantId and Type.

    I've tried to add the Computer column in the table definition and also in the DCR, but it has no effect. This seems to need to be hard-coded in the agent itself (for example, the TenantId string can be found in the agent binary, so clearly that's something the agent checks within the VM and adds to the data sent to the LAW)


  3. Jeremy Hagan 0 Reputation points
    2023-07-05T01:04:37.64+00:00

    If the name of the computer is in another field, such as the resource ID then you can use a source transformation on the DCR. You'll need to modify the custom table to ensure it has the right field first and have the ability to craft your own KQL to extract the value.

    You can find the documentation for a similar process here:

    https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-transformation

    If I wanted to extract the VM name or Arc server name from the resource ID the transform might look something like this:

    source | extend Computer = extract("(?:virtualMachines|machines)/(.+)$",1,_ResourceId)
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.