建立資料收集規則的 API 要求範例 (DCR)
本文提供建立資料收集規則 (DCR) 和 DCR 關聯 (DCR) 以搭配 Azure 監視器代理程式 (AMA) 使用的 API 要求和回應的一些範例。
Syslog/CEF
下列範例適用於使用 AMA 收集 Syslog 和 CEF 訊息的 DCR。
Syslog/CEF DCR
這些範例包括用於建立 DCR 的 API 要求和回應。
Syslog/CEF DCR 建立要求 URL 和標頭
範例:
PUT https://management.azure.com/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01?api-version=2022-06-01
Syslog/CEF DCR 建立要求本文
以下是 DCR 建立要求的範例。 針對每個數據來源資料流,您可以在一個 DCR 中新增一個新的子區段"syslog""dataSources",並根據您想要內嵌的訊息來源來設定字段的值"streams":
| 記錄來源 | "streams" 欄位值 |
|---|---|
| Syslog | "Microsoft-Syslog" |
| CEF | "Microsoft-CommonSecurityLog" |
| Cisco ASA | "Microsoft-CiscoAsa" |
請參閱下列程式代碼範例中的多個資料流區段範例:
{
"location": "centralus",
"kind": "Linux",
"properties": {
"dataSources": {
"syslog": [
{
"name": "localsSyslog",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"auth",
"local0",
"local1",
"local2",
"local3",
"syslog"
],
"logLevels": [
"Critical",
"Alert",
"Emergency"
]
},
{
"name": "authprivSyslog",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"authpriv"
],
"logLevels": [
"Error",
"Alert",
"Critical",
"Emergency"
]
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/Contoso",
"workspaceId": "11111111-2222-3333-4444-555555555555",
"name": "DataCollectionEvent"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Syslog"
],
"destinations": [
"DataCollectionEvent"
]
}
]
}
}
Syslog/CEF DCR 建立回應
以下是您應該根據上述範例要求收到的回應:
{
"properties": {
"immutableId": "dcr-0123456789abcdef0123456789abcdef",
"dataSources": {
"syslog": [
{
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"auth",
"local0",
"local1",
"local2",
"local3",
"syslog"
],
"logLevels": [
"Critical",
"Alert",
"Emergency"
],
"name": "localsSyslog"
},
{
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"authpriv"
],
"logLevels": [
"Error",
"Alert",
"Critical",
"Emergency"
],
"name": "authprivSyslog"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/Contoso",
"workspaceId": "11111111-2222-3333-4444-555555555555",
"name": "DataCollectionEvent"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Syslog"
],
"destinations": [
"DataCollectionEvent"
]
}
],
"provisioningState": "Succeeded"
},
"location": "centralus",
"kind": "Linux",
"id": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01",
"name": "Contoso-DCR-01",
"type": "Microsoft.Insights/dataCollectionRules",
"etag": "\"00000000-0000-0000-0000-000000000000\"",
"systemData": {
}
}
Syslog/CEF DCRA
Syslog/CEF DCRA 建立要求 URL 和標頭
PUT
https://management.azure.com/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/LogForwarder-VM-1/providers/Microsoft.Insights/dataCollectionRuleAssociations/contoso-dcr-assoc?api-version=2022-06-01
Syslog/CEF DCRA 建立要求本文
{
"properties": {
"dataCollectionRuleId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01"
}
}
Syslog/CEF DCRA 建立回應
{
"properties": {
"dataCollectionRuleId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01"
},
"id": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/LogForwarder-VM-1/providers/Microsoft.Insights/dataCollectionRuleAssociations/contoso-dcr-assoc",
"name": "contoso-dcr-assoc",
"type": "Microsoft.Insights/dataCollectionRuleAssociations",
"etag": "\"00000000-0000-0000-0000-000000000000\"",
"systemData": {
}
}
文字檔中的自定義記錄
下列範例適用於使用 AMA 從文字檔收集自訂記錄的 DCR。
自訂文字記錄 DCR
這些範例是建立 DCR 的 API 要求。
自定義文字記錄 DCR 建立要求本文
以下是自定義記錄文本檔的 DCR 建立要求範例。 將取代 {PLACEHOLDER_VALUES} 為實際值。
outputStream只有在轉換變更數據流的架構時,才需要 參數。
{
"type": "Microsoft.Insights/dataCollectionRules",
"name": "{DCR_NAME}",
"location": "{WORKSPACE_LOCATION}",
"apiVersion": "2022-06-01",
"properties": {
"streamDeclarations": {
"Custom-Text-{TABLE_NAME}": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "RawData",
"type": "string"
},
]
}
},
"dataSources": {
"logFiles": [
{
"streams": [
"Custom-Text-{TABLE_NAME}"
],
"filePatterns": [
"{LOCAL_PATH_FILE_1}","{LOCAL_PATH_FILE_2}"
],
"format": "text",
"name": "Custom-Text-{TABLE_NAME}"
}
],
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "{WORKSPACE_RESOURCE_PATH}",
"workspaceId": "{WORKSPACE_ID}",
"name": "DataCollectionEvent"
}
],
},
"dataFlows": [
{
"streams": [
"Custom-Text-{TABLE_NAME}"
],
"destinations": [
"DataCollectionEvent"
],
"transformKql": "source",
"outputStream": "Custom-{TABLE_NAME}"
}
]
}
}
自定義文字記錄 DCR 建立回應
{
"properties": {
"immutableId": "dcr-00112233445566778899aabbccddeeff",
"dataCollectionEndpointId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionEndpoints/Microsoft-Sentinel-aaaabbbbccccddddeeeefff",
"streamDeclarations": {
"Custom-Text-ApacheHTTPServer_CL": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "RawData",
"type": "string"
}
]
}
},
"dataSources": {
"logFiles": [
{
"streams": [
"Custom-Text-ApacheHTTPServer_CL"
],
"filePatterns": [
"C:\\Server\\bin\\log\\Apache24\\logs\\*.log"
],
"format": "text",
"settings": {
"text": {
"recordStartTimestampFormat": "ISO 8601"
}
},
"name": "Custom-Text-ApacheHTTPServer_CL"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/contoso-rg-1/providers/Microsoft.OperationalInsights/workspaces/CyberSOC",
"workspaceId": "cccccccc-3333-4444-5555-dddddddddddd",
"name": "DataCollectionEvent"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-Text-ApacheHTTPServer_CL"
],
"destinations": [
"DataCollectionEvent"
],
"transformKql": "source",
"outputStream": "Custom-ApacheHTTPServer_CL"
}
],
"provisioningState": "Succeeded"
},
"location": "centralus",
"tags": {
"createdBy": "Sentinel"
},
"id": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionRules/DCR-CustomLogs-01",
"name": "DCR-CustomLogs-01",
"type": "Microsoft.Insights/dataCollectionRules",
"etag": "\"00000000-1111-2222-3333-444444444444\"",
"systemData": {
"createdBy": "gbarnes@contoso.com",
"createdByType": "User",
"createdAt": "2024-08-12T09:29:15.1083961Z",
"lastModifiedBy": "gbarnes@contoso.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-08-12T09:29:15.1083961Z"
}
}