Amostras de modelo do Resource Manager para consultas de log no Azure Monitor

Artigo
10/15/2024

Este artigo inclui modelos do Azure Resource Manager de amostra para criar e configurar consultas de log no Azure Monitor. Cada amostra inclui um arquivo de modelo e um arquivo de parâmetros com valores de amostra para fornecer ao modelo.

Observação

Consulte Amostras do Azure Resource Manager do Azure Monitor para obter uma lista de amostras disponíveis e diretrizes sobre como implantá-las em sua assinatura do Azure.

Referências de modelo

Microsoft.OperationalInsights workspaces/savedSearches

Consulta de log simples

A amostra a seguir adiciona uma consulta de log a um workspace do Log Analytics.

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
      "metadata": {
        "description": "The name of the workspace."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The location of the resources."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2021-12-01-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]"
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'VMSS query')]",
      "properties": {
        "etag": "*",
        "displayName": "VMSS Instance Count",
        "category": "VMSS",
        "query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer",
        "version": 1
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    }
  ]
}

Arquivo de parâmetro.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Consulta de log como uma função

A amostra a seguir adiciona uma consulta de log como uma função em um workspace do Log Analytics.

Arquivo de modelo

Bicep
JSON

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
      "workspaceName": {
          "type": "string"
      },
      "location": {
        "type": "string"
      }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2017-03-15-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]",
      "resources": [
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
          "name": "Cross workspace query",
            "dependsOn": [
              "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
            ],
            "properties": {
              "etag": "*",
              "displayName": "Failed Logon Events",
              "category": "Security",
              "FunctionAlias": "failedlogonsecurityevents",
              "query": "
                union withsource=SourceWorkspace
                workspace('workspace1').SecurityEvent,
                workspace('workspace2').SecurityEvent,
                workspace('workspace3').SecurityEvent,
                | where EventID == 4625",
              "version": 1
          }
        }
      ]
    }
  ]
}

Arquivo de parâmetro.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Função parametrizada

A amostra a seguir adiciona uma consulta de log como uma função que usa um parâmetro para um workspace do Log Analytics. Uma segunda consulta de log é incluída e usa a função parametrizada.

Observação

No momento, o modelo de recurso é o único método que pode ser usado para funções parametrizadas. Qualquer consulta de log poderá usar a função depois que ela for instalada no workspace.

Arquivo de modelo

Bicep
JSON

param workspaceName string
param location string

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource parameterizedFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Parameterized function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers function'
    category: 'Samples'
    functionAlias: 'UnavailableComputers'
    functionParameters: 'argSpan: timespan'
    query: ' Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)'
  }
}

resource queryUsingFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Query using function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers'
    category: 'Samples'
    query: 'UnavailableComputers(7days)'
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string"
    },
    "location": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2021-12-01-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]"
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'Parameterized function')]",
      "properties": {
        "etag": "*",
        "displayName": "Unavailable computers function",
        "category": "Samples",
        "functionAlias": "UnavailableComputers",
        "functionParameters": "argSpan: timespan",
        "query": " Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)"
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'Query using function')]",
      "properties": {
        "etag": "*",
        "displayName": "Unavailable computers",
        "category": "Samples",
        "query": "UnavailableComputers(7days)"
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    }
  ]
}

Arquivo de parâmetro.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Partilhar via

Amostras de modelo do Resource Manager para consultas de log no Azure Monitor

Referências de modelo

Consulta de log simples

Arquivo de modelo

Arquivo de parâmetro.

Consulta de log como uma função

Arquivo de modelo

Arquivo de parâmetro.

Função parametrizada

Arquivo de modelo

Arquivo de parâmetro.

Próximas etapas

Comentários

Recursos adicionais