Resource Manager template samples for Log Analytics workspaces in Azure Monitor

This article includes sample Azure Resource Manager templates to create and configure Log Analytics workspaces in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.

Note

See Azure Resource Manager samples for Azure Monitor for a list of samples that are available and guidance on deploying them in your Azure subscription.

Template references

Create a Log Analytics workspace

The following sample creates a new empty Log Analytics workspace. A workspace has unique workspace ID and resource ID. You can reuse the same workspace name when in different resource groups.

Notes

  • If you specify a pricing tier of Free, then remove the retentionInDays element.

Template file

@description('Specify the name of the workspace.')
param workspaceName string

@description('Specify the location for the workspace.')
param location string

@description('Specify the pricing tier: PerGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers.')
@allowed([
  'CapacityReservation'
  'Free'
  'LACluster'
  'PerGB2018'
  'PerNode'
  'Premium'
  'Standalone'
  'Standard'
])
param sku string = 'PerGB2018'

@description('Specify the number of days to retain data.')
param retentionInDays int = 120

@description('Specify true to use resource or workspace permissions, or false to require workspace permissions.')
param resourcePermissions bool

@description('Specify the number of days to retain data in Heartbeat table.')
param heartbeatTableRetention int

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
  properties: {
    sku: {
      name: sku
    }
    retentionInDays: retentionInDays
    features: {
      enableLogAccessUsingOnlyResourcePermissions: resourcePermissions
    }
  }
}

resource table 'Microsoft.OperationalInsights/workspaces/tables@2021-12-01-preview' = {
  parent: workspace
  name: 'Heartbeat'
  properties: {
    retentionInDays: heartbeatTableRetention
  }
}

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "sku": {
      "value": "PerGB2018"
    },
    "location": {
      "value": "eastus"
    },
    "resourcePermissions": {
      "value": true
    },
    "heartbeatTableRetention": {
      "value": 30
    }
  }
}

Configure data collection for Log Analytics workspace

The following samples show how to configure a Log Analytics workspace to collect data from the Log Analytics agent, which is on a deprecation path being replaced by Azure Monitor agent. The Azure Monitor agent uses data collection rules to define its data collection and will ignore any of the configuration performed by these samples. For sample templates for data collection rules, see Resource Manager template samples for data collection rules in Azure Monitor.

Collect Windows events

The following sample adds collection of Windows events to an existing workspace.

Notes

  • Add a datasources element for each event log to collect. You can specify different set of event types for each log.

Template file

@description('Specify the name of the workspace.')
param workspaceName string

@description('Specify the location for the workspace.')
param location string

resource workspace'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
  properties: {}
}

resource windowsEventsSystemDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
  parent: workspace
  name: 'WindowsEventsSystem'
  kind: 'WindowsEvent'
  properties: {
    eventLogName: 'System'
    eventTypes: [
      {
        eventType: 'Error'
      }
      {
        eventType: 'Warning'
      }
    ]
  }
}

resource WindowsEventApplicationDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
  parent: workspace
  name: 'WindowsEventsApplication'
  kind: 'WindowsEvent'
  properties: {
    eventLogName: 'Application'
    eventTypes: [
      {
        eventType: 'Error'
      }
      {
        eventType: 'Warning'
      }
      {
        eventType: 'Information'
      }
    ]
  }
}

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Collect syslog

The following sample adds collection of syslog events to an existing workspace.

Notes

  • Add a datasources element for each facility to collect. You can specify different set of severities for each facility.

Template file

@description('Specify the name of the workspace.')
param workspaceName string

@description('Specify the location in which to create the workspace.')
param location string

resource workspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' = {
  name: workspaceName
  location: location
  properties: {}
}

resource syslogKernDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'SyslogKern'
  kind: 'LinuxSyslog'
  properties: {
    syslogName: 'kern'
    syslogSeverities: [
      {
        severity: 'emerg'
      }
      {
        severity: 'alert'
      }
      {
        severity: 'crit'
      }
      {
        severity: 'err'
      }
      {
        severity: 'warning'
      }
      {
        severity: 'notice'
      }
      {
        severity: 'info'
      }
      {
        severity: 'debug'
      }
    ]
  }
}

resource syslogDaemonDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'SyslogDaemon'
  kind: 'LinuxSyslog'
  properties: {
    syslogName: 'daemon'
    syslogSeverities: [
      {
        severity: 'emerg'
      }
      {
        severity: 'alert'
      }
      {
        severity: 'crit'
      }
      {
        severity: 'err'
      }
      {
        severity: 'warning'
      }
    ]
  }
}

resource syslogCollectionDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'SyslogCollection'
  kind: 'LinuxSyslogCollection'
  properties: {
    state: 'Enabled'
  }
}

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Collect Windows performance counters

The following sample adds collection of Windows performance counters to an existing workspace.

Notes

  • Add a datasources element for each counter and instance to collect. You can specify different collection rate for each counter and instance combination.

Template file

@description('Specify the name of the workspace.')
param workspaceName string

@description('Specify the location of the workspace.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
  properties: {}
}

resource windowsPerfMemoryAvailableBytesDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
  parent: workspace
  name: 'WindowsPerfMemoryAvailableBytes'
  kind: 'WindowsPerformanceCounter'
  properties: {
    objectName: 'Memory'
    instanceName: '*'
    intervalSeconds: 10
    counterName: 'Available MBytes '
  }
}

resource windowsPerfMemoryPercentageBytesDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'WindowsPerfMemoryPercentageBytes'
  kind: 'WindowsPerformanceCounter'
  properties: {
    objectName: 'Memory'
    instanceName: '*'
    intervalSeconds: 10
    counterName: '% Committed Bytes in Use'
  }
}

resource windowsPerfProcessorPercentageDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'WindowsPerfProcessorPercentage'
  kind: 'WindowsPerformanceCounter'
  properties: {
    objectName: 'Processor'
    instanceName: '_Total'
    intervalSeconds: 10
    counterName: '% Processor Time'
  }
}

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Collect Linux performance counters

The following sample adds collection of Linux performance counters to an existing workspace.

Notes

  • Add a datasources element for each object and instance to collect. You can specify different set of counters for each object and instance combination, but you can only specify a single rate for all counters.

Template file

@description('Specify the name of the workspace.')
param workspaceName string

@description('Specify the location in which to create the workspace.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' = {
  name: workspaceName
  location: location
  properties: {}
}

resource linuxPerformanceLogicalDiskDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'LinuxPerformanceLogicalDisk'
  kind: 'LinuxPerformanceObject'
  properties: {
    objectName: 'Logical Disk'
    instanceName: '*'
    intervalSeconds: 10
    performanceCounters: [
      {
        counterName: '% Used Inodes'
      }
      {
        counterName: 'Free Megabytes'
      }
      {
        counterName: '% Used Space'
      }
      {
        counterName: 'Disk Transfers/sec'
      }
      {
        counterName: 'Disk Reads/sec'
      }
      {
        counterName: 'Disk Writes/sec'
      }
    ]
  }
}

resource linuxPerformanceProcessorDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'LinuxPerformanceProcessor'
  kind: 'LinuxPerformanceObject'
  properties: {
    objectName: 'Processor'
    instanceName: '*'
    intervalSeconds: 10
    performanceCounters: [
      {
        counterName: '% Processor Time'
      }
      {
        counterName: '% Privileged Time'
      }
    ]
  }
}

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Collect text logs

The following sample adds collection of text logs to an existing workspace.

Notes

  • The configuration of delimiters and extractions can be complex. For help, you can define a text log using the Azure portal and the retrieve its configuration using Get-AzOperationalInsightsDataSource with -Kind set to CustomLog.

Template file

@description('Specify the name of the workspace.')
param workspaceName string

@description('Specify the location in which to create the workspace.')
param location string

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
  properties: {}
}

resource armlogTimeDelimitedDataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
  parent: workspace
  name: '${workspaceName}armlog_timedelimited'
  kind: 'CustomLog'
  properties: {
    customLogName: 'arm_log_timedelimited'
    description: 'this is a description'
    inputs: [
      {
        location: {
          fileSystemLocations: {
            linuxFileTypeLogPaths: [
              '/var/logs'
            ]
            windowsFileTypeLogPaths: [
              'c:\\Windows\\Logs\\*.txt'
            ]
          }
        }
        recordDelimiter: {
          regexDelimiter: {
            matchIndex: 0
            numberdGroup: null
            pattern: '(^.*((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9].*$)'
          }
        }
      }
    ]
    extractions: [
      {
        extractionName: 'TimeGenerated'
        extractionProperties: {
          dateTimeExtraction: {
            regex: [
              {
                matchIndex: 0
                numberdGroup: null
                pattern: '((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9]'
              }
            ]
          }
        }
        extractionType: 'DateTime'
      }
    ]
  }
}

resource armlogNewlineDatasource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = {
  parent: workspace
  name: '${workspaceName}armlog_newline'
  kind: 'CustomLog'
  properties: {
    customLogName: 'armlog_newline'
    description: 'this is a description'
    inputs: [
      {
        location: {
          fileSystemLocations: {
            linuxFileTypeLogPaths: [
              '/var/logs'
            ]
            windowsFileTypeLogPaths: [
              'c:\\Windows\\Logs\\*.txt'
            ]
          }
        }
        recordDelimiter: {
          regexDelimiter: {
            pattern: '\\n'
            matchIndex: 0
            numberdGroup: null
          }
        }
      }
    ]
    extractions: [
      {
        extractionName: 'TimeGenerated'
        extractionType: 'DateTime'
        extractionProperties: {
          dateTimeExtraction: {
            regex: null
            joinStringRegex: null
          }
        }
      }
    ]
  }
}

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Collect IIS log

The following sample adds collection of IIS logs to an existing workspace.

Template file

@description('Specify the name of the workspace.')
param workspaceName string

@description('Specify the location in which to create the workspace.')
param location string

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
  properties: {}
}

resource IISLogDataSource 'Microsoft.OperationalInsights/workspaces/datasources@2020-08-01' = {
  parent: workspace
  name: 'IISLog'
  kind: 'IISLogs'
  properties: {
    state: 'OnPremiseEnabled'
  }
}

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Next steps